Gaming Industry Experiences 340% Spike in Web App Attacks

Web application attacks targeting the video game industry grew by a higher rate than any other sector during the COVID-19 pandemic, according to a new report by Akamai.

The Gaming in a Pandemic found that attacks of this nature surged by 340% in 2020 compared to 2019, totaling more than 240 million attempts against the video game industry.

The most prominent web application attack vector was SQL injection, making up 59% of all attacks against the gaming sector. This method targets the login credentials and personal information of players. This was followed by local file inclusion, which comprised 24% of all attacks;. This method focuses on sensitive details within apps and services that can further compromise game servers and accounts. Other prominent vectors in this category were cross-site scripting and remote file inclusion, accounting for 8% and 7% of attacks detected by Akamai, respectively.

The video game industry also experienced a 224% increase in credential stuffing attacks in 2020 compared to 2019, a total of nearly 11 billion. Akamai observed that these attacks took place at a large, steady rate throughout last year, with millions of attacks registered each day and two days seeing spikes of more than 100 million. It added that credential stuffing became so common that bulk lists of stolen usernames and passwords were available for as little as $5 on illicit websites.

Surprisingly, there was a 20% reduction in DDoS attacks targeting the gaming industry.

Another key finding from the report was that cyber-criminals consistently targeted mobile games incorporating in-app purchases. These are in-game purchases of virtual items like skins, character enhancements and additional levels.

Steve Ragan, Akamai security researcher and author of the report, commented: “We’re observing a remarkable persistence in video game industry defenses being tested on a daily – and often hourly – basis by criminals probing for vulnerabilities through which to breach servers and expose information. We’re also seeing numerous group chats forming on popular social networks that are dedicated to sharing attack techniques and best practices.”

There have been several high-profile hacks on video game companies over the past year. Earlier this month, gaming giant EA suffered a major data breach in which 780GB of data, including source code for games, was stolen and advertised for sale on the dark web.

What’s Hot on Infosecurity Magazine?