Many of us spent the lockdown baking banana bread or filming TikTok videos. Criminals used their downtime during the COVID-19 lockdowns to recycle old credential lists and test them against new targets. This increase in activity (a 400% increase in phishing is just one example) began in early 2020 and has continued through to now. The result: more attacks on companies across the globe. The gaming industry was particularly affected. In 2020, it saw more security attacks than any other industry.
Hackers spent their free time exchanging ideas with others in the field. According to a report from Akamai, many group chats on the popular social platform Discord were initiated by hackers.
The popular discussions and tutorials centred on all-in-one tools and using services to locate databases, unprotected assets, and more. Hacking in the gaming sector is built on bulk, not exclusivity. A single account might not be worth much- one usually is worth $5. But sophisticated hackers can gain access to hundreds of them in a short time and sell them on. As we have discussed in previous blogs, the economics of password hacking make it worth the effort (see Attempted Fraudulent log-in rises by 282% YOY (miracl.com)).
There are surprisingly professional online marketplaces that offer illegally obtained access to gaming accounts and game libraries. They even have trust ratings for the criminal vendors and a lifetime warranty on illegal goods. These hackers have effectively formed their own digital gaming black market.
Why are video game companies targeted?
Video game companies are in the crosshairs because they don’t need to keep the same security requirements and regulations as other industries. A video game startup may not prioritise security in the same way as a hospital or bank. Hackers are aware of that fact and use it to their own advantage.
The gaming industry is also attractive because of the enormous profits: The Gaming Market was valued at USD 198.40 billion in 2021. That is expected to grow to USD 339.95 billion by 2027.
Why do hackers target video game players?
Like many other online users, video game players often use the same password on different platforms. A hacker who obtains a user’s login credentials can launch attacks against video game companies or threaten them to do so. Generally, the criminals are after users' (in this case, gamers') Personal Identifiable Information (PII). That could be numbers like a social security number or the passport number. PII can then be sold to other hackers or even gamers who want to enter a game on a higher level than they have yet reached. Revenge attacks from disgruntled gamers may be even more frequent than revenge attacks from terminated employees in the business world. There’s also always the possibility that some gamers, excited by the thrill of hacking, may go one step further and try to hack the gaming company’s network. Whether for-profit or for personal gain, there’s no shortage of hackers attacking gamers and the gaming industry.
The C-Suite is especially at risk
You would think that executives are more aware of the risk of hacking and therefore protect their assets. That seems not to be the case. The cyber security firm BlackCloak discovered several weaknesses in the credentials used by C-suite executives at video game companies. Of the analysed passwords, 83% were found on the Dark Web. 68% of them were connected with the executive’s personal email address. 34% of the executives reused the same or only slightly different password modifications on multiple accounts. Multi-step multi-factor authentication (MFA) prevents that, but traditional methods using SMS one-time-passwords (OTPs) or authenticator apps aren’t as user-friendly as typing in a single password. This lax attitude towards security is dangerous and has led to some worrying incidents.
Recent Gaming Attacks
In February this year, an Israeli cyber-research team found that a Russian-based hacking organisation targeted a European gaming and gambling app. It attacked passwords to plant relatively sophisticated ransomware developed initially by a nation-state APT (Advanced Persistent Threat) Russian group. The analysts found hard-coded references in Russian within the code used.
The analysts stated that the strategy showed “a persistent, sophisticated enemy with some programming skills” and a “clear objective in mind”. That is far from the regular script kiddie profile we often think of when describing hackers.
They also pointed out that the entry point for this intrusion was a set of compromised credentials. That shows how important it is to apply additional access control. A password alone, even if it is a sophisticated one, is not secure enough to protect these gaming accounts.
In February this year, a Chinese-speaking advanced persistent threat (APT) was linked to a new campaign that targeted gambling-related companies in Southeast Asia, especially Taiwan, the Philippines, and Hong Kong. The malware installed bypassed user account control (UAC) mechanisms, created new backdoor accounts, and even executed arbitrary commands on the infected system.
How to protect your company
Users of gaming and gambling apps use them to relax or compete with others in friendly online battles. They want to enjoy themselves, not think of security concerns. A complicated login process creates friction and annoys these customers even faster than other customers. As Steve Ragan, a security researcher at Akamai, told SecurityWeek, “The gaming industry does want to defend its players, but security is a balancing act. Gaming companies spend a lot of time and effort researching their security posture and their players' needs. They try to find a balance between the two of them… the thing is, you can’t force somebody to do something”.
Multi-factor authentication is THE essential ransomware protection. Traditional MFA may require users to add another device to the mix to access their account. Usually, they need to type in a code sent to their mobile device after entering their password. This extra security layer helps to steer hackers away from these accounts. The problem is that this additional measure adds precious time to the login process and can be a hassle for users. Maybe they don’t have their phone next to them or find the process annoying.
Only MIRACL provides secure, fast, and simple MFA protection while also improving the user experience. A simple PIN is all it takes to log into the account. That reduces password setup and reset costs up to 40%. No data is sent across the web, and nothing is stored in the cloud. Users don’t have to remember complicated passwords, and the seamless login experience keeps them engaged with the company.
If you want to know how MIRACL can help you, book a free 25-minute call to get to know MIRACL’s user-friendly authentication technology here.