Rob Behnke
September 25th, 2023
While gaming expands in Web3, it has already made its mark among DeFi attacks. The most expensive DeFi hack to date — the Ronin Network hack — exploited security flaws in the protocol that were added to handle large volumes of gaming transactions.
The gaming sector in general is a valuable target for cybercriminals. Gaming platforms commonly have large volumes of valuable player data, and gamers frequently invest heavily in their online games, making them high-value targets. Additionally, the competitive nature of gaming means that attacks that can disrupt an opponent’s gameplay or provide a gamer with an unfair advantage are also common in the space.
In this article, we’ll provide an overview of the top 5 kinds of cyber attacks that occur in the gaming industry.
A Distributed Denial of Service (DDoS) attack is designed to make the target website or service unavailable to legitimate users. A botnet — composed of many infected computers — will flood the target system with large volumes of spam requests. By consuming all of the target’s network bandwidth, computational resources, or storage, the attacker renders it unable to process legitimate requests.
DDoS attacks have become common in the gaming sector as players attempt to gain an advantage over their rivals. DDoS attacks are relatively cheap to perform — an attacker with 20-50k requests per second for a day costs as little as $200 — and a successful attack could render a user unable to play for some time. In gaming, where even a few seconds of lag can be the difference between winning or losing, a DDoS attack can harm a player’s chances or force them to forfeit a match entirely.
One example of a significant DDoS attack in the gaming sector occurred in a 2015 League of Legends tournament match where Dignitas and Denial were competing. A DDoS attack targeting Denial — the 12:1 favorite for winning the match — rendered one of their players unable to play for over ten minutes.
Under the rules of the tournament, this forced Denial to forfeit the match. While this disrupted the tournament, it also created a financial opportunity for the attacker. With 12:1 odds, the attacker could bet on Dignitas and, by forcing Denial to forfeit, guarantee that they would win and provide a significant payoff for the attacker.
Phishing is a type of social engineering attack that uses deception and coercion to get the target to do something that benefits the attacker. For example, a common form of phishing attack involves an email that is designed to trick a user into visiting a malicious site that harvests their login credentials.
Phishing attacks can be used in various ways within the gaming sector. One potential application is to steal users’ login credentials for gaming sites. Often, these accounts control access to valuable in-game items that an attacker could steal for their own use or to sell on marketplaces. For example, in January 2022, an attacker performed a phishing attack that allowed them to bypass 2FA and take over the accounts of 50 high-profile FIFA 22 gamers’ accounts. The attacker drained points and in-game currency from these compromised accounts.
Another application of phishing attacks in gaming is to trick gamers into installing malware on their devices. A phishing message or post on a gaming forum could point to a site that claims to distribute free versions of a game or various mods. However, if a player downloads and runs these programs, they would actually install malware on their computer. This malware could steal the user’s password or other sensitive data or take other actions that hurt their ability to play the game.
Credential stuffing is another common cyberattack designed to gain access to users’ accounts. In this case, the attacker takes advantage of weak and reused passwords, a common problem. Using a list of weak passwords or ones exposed via data breaches or phishing, the attacker attempts to log into a user’s account with other services.
Account takeover attacks pose a significant risk in the gaming sector. In addition to the potential for theft mentioned previously, an attacker with access to a gamer’s account could delete it or take other actions that negatively affect their gameplay experience.
DataDome presented a case study of one credential stuffing attack it observed against a gaming platform. Over the course of four days, the attacker made nearly 108 million login attempts to various accounts and used a network of over 91 million bots to perform the attack.
At its peak, this attack included over 4 million login attempts for several hours. This means that, in addition to threatening users’ account security, the attacker also could have DDoSed the gaming platform’s login site if it lacked the capacity or protection to manage this onslaught of requests.
In a man-in-the-middle (MitM) or on-path attack, the attacker places themself on the communications path between a player and the server. This enables them to intercept communications, reading, modifying, or dropping them en route.
Most websites are protected against MitM attacks due to their use of the Transport Layer Security (TLS) protocol (the difference between HTTP and HTTPS) for traffic encryption and authentication. However, mobile apps commonly have weaker security than websites, and it is harder to determine if a mobile app is implementing strong security.
In the gaming sector, a MitM attack can be used to harm gameplay in various ways. An attacker performing a MitM attack on a competitor could drop their traffic or modify it to place them at a disadvantage.
A player can also perform a MitM attack on themselves to provide an unfair advantage, something that is possible even with HTTPS-protected web games. For example, the attacker can manipulate the game’s logic to improve their performance or learn secret information about the game.
A gaming company may have a variety of sensitive information. At a minimum, the organization will have personally identifiable information (PII), including a player’s name, address, etc. It is also likely that they will have payment card information to enable in-game purchases, and they may have other sensitive information about their users.
This collection of sensitive information makes data breaches a concern for these organizations as well. Cybercriminals may target the platforms to steal information for sale on the dark web or for use in later attacks. Gaming platforms also run the risk that players might attempt to extract sensitive information in an attempt to “dox” their opponents.
In 2022, Rockstar Games suffered a famous data breach. The attacker claimed to have access to the source code of Grand Theft Auto (GTA) V and VI. They also stole and leaked 90 video clips from prerelease test builds of GTA VI.
Cyberattacks in gaming can target both companies and individuals. For gaming companies, DDoS protection and prompt applications of patches for vulnerabilities can cut down on their exposure.
For gamers, the main threat to their security is account takeover attacks. Enabling multi-factor authentication (MFA) can help protect against credential stuffing and phishing attacks. Additionally, it’s also best to be wary of emails, websites, and links claiming to offer cheats or free in-game items. In most cases, these are scams designed to steal passwords or install malware on your computer.
If you’re a gaming company looking to secure your platform from hacks, get in touch with Halborn.