Using stolen credentials, phishing and malware directed attacks, cybercriminals have identified the gaming sector as a low-risk venture with high profit turnouts.
From traditional consoles attached to your television to online gaming, it marks a massive step in the evolution of the gaming industry. The importance of cybersecurity in the gaming industry is not a new revelation. With large troves of sensitive consumer financial data and more cash transactions per minute than some of the world’s largest banks, today’s gaming and casino institutions are ideal targets for cybercriminals seeking hefty payouts.
With the massive data breaches reported during the last couple of years, credential stuffing attacks have been on the rise. Given the low success rates of these attacks, threat actors are finding this lucrative area with bot technologies. These attacks work on the assumption that a user at breached site A is likely to have same password with his/her account on site B.
Attackers are finding personally identifiable information (PII) and credit card information equally lucrative, along with game credits for in-game exchanges. For organised cybercrime groups, all personally identifiable data and credit card information is, after all, valuable underground market commodity.
Cyber threats will only grow with technological advancements in this sector.
Gaming businesses and regulatory authorities should look towards lessons from other sectors such as the financial sector. Providing a safe gaming environment goes beyond the immersive gaming experience. Advancement of innovative products, immersive gaming experiences with sharing of services and platforms are some of the factors adding to complexities of the threat landscape.
Akamai's Security Web Attacks and Gaming Abuse report highlighted information related to gaming industry issues observed for about 17 months. Highlighted attacks in this report relate to more than 2/3 of basic top ten web application security issues such as SQL Injection, Local File Inclusion attacks. This highlights the lack of basic cyber hygiene and the rush to go-live releases. Key challenges faced by the gaming sector include:
Without deep-dive (technical) risk assessments, there is no visibility of affected assets and the exposed attack surface inside and outside your environment.
A supply chain is a chain of dependencies in goods or services. Supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system threat. A supply chain can be compromised in various ways, for example, through the exploitation of third-party data stores or software providers.
Ransomware has quickly become one of the most dangerous cybercrime threats organisations are facing . Over the past two years, the number of organizations being hit with targeted ransomware attacks has multiplied as the number of gangs carrying out these attacks has proliferated. Paying the ransom does not guarantee that you will get access to your data and threat actors may assume that you would be open to paying ransoms in the future
The loss of client information can have a devastating impact on a sector that has confidentiality at the heart of its business. Firms storing sensitive information, third party data, transactional records are likely to be at a higher risk of data breach than a local high street firm. Therefore, it goes without doubt that secure information storage and processing practices would help minimise the attack surface.
Lately since 2017/18, due to massive breaches credential stuffing attacks are the most prevalent form of attack used with large online consumer based such as gaming, gambling, financial and retail sectors. Although the success rate of credential-stuffing attacks is very low, successful logins are an easy gateway into opportunities for malicious actors.
Secure SDLC involves overall security methodology embedded at various stages during software development. Organisations should be aware of threat modelling, common pitfalls/vulnerabilities such as OWASP Top 10, secure code reviews and security baselines for deployment and dev ops (DevSecOps).
This section refers to specific projects based experience in this sector. Our experience stems from working for gaming providers and platforms assessed.
Hackers have targeted the gaming industry by carrying out 12 billion credential stuffing attacks against gaming websites within the 17-month period analyzed in the report. This puts the gaming community among the fastest rising targets for credential stuffing attacks and one of the most lucrative targets for criminals looking to make a quick profit.
Asian game developers again targeted in supply-chain attacks distributing malware in legitimately signed software. This is not the first time the gaming industry has been targeted by attackers who compromise game developers, insert backdoors into a game’s build environment, and then have their malware distributed as legitimate software.
