Cybercriminals are enjoying their own game: preying on gamers and exploiting any lax security by gaming platforms.

Between 2018 and 2020, high volumes of attacks were used to target video game companies and players, particularly due to the pandemic this year.

According to a recent report by Akamai, nearly 10 billion attacks have targeted the gaming sector. The significant majority were SQL injection (SQLi) attacks intended to exploit user login credentials, personal data and other information stored in the targeted server’s database.

Local File Inclusion (LFI) was the other notable attack vector, which can expose player and game details that can ultimately be used for exploiting or cheating. Criminals often target mobile and web-based games with SQLi and LFI attacks due to the access to usernames, passwords and account information that comes with successful exploits.

Furthermore, between July 2019 and June 2020, some 3,000 of the 5,600 unique DDoS attacks Akamai observed were aimed at the gaming industry, making it by far the most-targeted sector. Recalling the Mirai botnet, which was originally created by college students to disable Minecraft servers and later used to launch some of the largest-ever DDoS attacks, the report notes that the gaming-related DDoS attacks spiked during holiday periods, as well as typical school vacation seasons. This serves as a likely indicator that the responsible parties were home from school.

The last primary form of attack used against gamers is phishing via legitimate-looking websites related to a game or gaming platform.

Said Steve Ragan, security researcher and author of the State of the Internet/Security report: “The fine line between virtual fighting and real-world attacks is gone. Criminals are launching relentless waves of attacks against games and players alike in order to compromise accounts, steal and profit from personal information and in-game assets, and gain competitive advantages. It’s vital that gamers, game publishers, and game services work in concert to combat these malicious activities through a combination of technology, vigilance, and good security hygiene.”

The allure of digital fantasy

Video games served as a major outlet for entertainment and social interaction during the COVID-19-driven lockdowns earlier in the year, motivating criminals to zoom in on the industry. Though many gamers have been hacked, far fewer appear to be concerned.

In an upcoming survey of gamer attitudes toward security conducted by Akamai and DreamHack, 55% of respondents who identify as ‘frequent players’ have admitted to having had an account compromised at some point. Of those, only 20% expressed being ‘worried’ or ‘very worried’ about it.

The report posits that even though avid gamers may not recognize the value in the data associated with their accounts, criminals most certainly do. Said DreamHack Chief Strategy Officer Tomas Lykedal: “Gaming has always brought communities together, so all of us at DreamHack want to ensure our valued communities of fans and players are protected from cyberattacks of this nature… Everyone involved can help ensure that, together, we are doing all we can to protect privacy and personal information when engaging on these world stages and global platforms.”

The fact remains: gamers are highly targeted because they have several qualities that criminals look for. They’re engaged and active in social communities. For the most part, they have disposable income, and they tend to spend it on their gaming accounts and gaming experiences. When these factors are combined, criminals see the gaming industry as a target-rich environment.

Gamers can protect themselves and their accounts by using password managers and multi-factor authentication along with unique, complicated passwords.