Video game industry faced wave of cyberattacks during COVID pandemic: report

Cyberattackers put usernames and passwords up for sale for 'as little as $5' in 2020

Cyberattack traffic targeting the video game industry skyrocketed during the COVID-19 pandemic. 

Video gaming was struck by more than 240 million web application attacks in 2020, a 340% increase over 2019, according to Akamai’s new State of the Internet / Security report.

"Criminals are relentless," said Steve Ragan, Akamai security researcher and author of the report, in a statement sent to FOX Business.  

GET FOX BUSINESS ON THE GO BY CLICKING HERE

The global gaming market is expected to hit $175 billion in 2021, according to analytics firm Newzoo.

So-called "phishing kits" – where fraudulent messages masquerade as coming from trusted entities such as banks – were a popular way to steal player email addresses, passwords, login details, and geolocation information which were then sold on criminal markets. 

"We’re observing a remarkable persistence in video game industry defenses being tested on a daily – and often hourly – basis by criminals probing for vulnerabilities through which to breach servers and expose information," Ragan said.

"Credential stuffing" attacks, which automate login requests using stolen passwords from past breaches, took place at a rate of millions per day, with two days seeing spikes of more than 100 million, the report said. 

Credential stuffing attacks were so common in 2020 that large lists of stolen usernames and passwords were available for as little as $5 on illicit websites, according to Akamai.

Medium shot of a boy playing with a first-person shooter video game

ELECTRONIC ARTS DISCLOSES HACK OF ‘FIFA 21’ SOURCE CODE

Gamers who reuse passwords or use simple passwords make credential stuffing an effective tool for criminals, according to Ragan. 

"A successful attack against one account can compromise any other account where the same username and password combination is being used," he said, adding that password managers and multi-factor authentication can eliminate these types of attacks. 

Group chats that share attack techniques have also appeared on social networks, Ragan said.

The report cited group chats on Discord, a popular social platform, dedicated to SQL Injection (SQLi), Local File Inclusion (LFI), and other web application attack techniques, tools, and "best" practices. 

SQLi – the most widely used for attacks -- can yield login credentials, personal information, or anything else that is stored in an exposed database.

The criminals pushing SQLi and LFI attacks tend to automate their efforts, the report said.

"They are looking for opportunistic situations, where a new app, API [application programming interface], or account function wasn’t properly hardened and [therefore was] exposed," according to the report.

CLICK HERE TO READ MORE ON FOX BUSINESS

Mobile games and web-based games are big targets for LFI and SQLi attacks because criminals believe that those platforms are not as well defended as their desktop and console counterparts, Akamai said.

The gaming industry in the U.S. was the biggest target with 242 million attacks, Asia was a distant second with 2.2 million attacks.