The gaming industry is an exceptionally attractive target for cybercriminals; therefore, and effective cybersecurity solution is essential for them.
The global gaming market is immense. Newzoo, a leader in the field of video games and gamer data, forecasted in 2020 that the gaming market would grow to nearly US$ 190 billion in 2021, up from US$ 137.9 billion in 2018. It further stated that 2023 would mark a major milestone for this market, with the global number of gamers exceeding 3 billion, representing a CAGR of +5.6% (2015-2023), with the vast majority playing on mobile devices.
The data collected by the gaming companies is of extremely high value to them. As explained by EY, this data improves their understanding of player behaviors, enables them to personalize and redesign their games to make them more engaging, and allows them to create targeted in-game advertisements.
The immense amount of personal and credit card data collected by gaming companies has not escaped the attention of cybercriminals looking for easy financial gain, or for a way to use stolen data to perpetrate various attacks on various organizations or individuals.
The gaming industry is a more attractive target for cyberattackers than the banking industry
The number of gamers worldwide is expected to be more than 3B in 2023
Increased risks justify cybersecurity for the gaming industry
According to Akamai, the gaming industry is a more popular cyberattack target than banking!
Cybercriminals launch attacks against online gaming companies for financial gain, however they achieve this goal also by stealing gaming accounts, and not only through theft of personal information and credit card data. Gamers put a great deal of effort into building their game characters and purchasing goods; gaining control of such accounts enables the account buyers to play at a higher level, benefitting from what the original gamers had already gained, while sparing themselves the effort the gamers had invested.
52% of survey respondents have had one or more of their accounts hacked
(DreamHack & Akamai)
70% of survey respondents have seen hacked accounts offered for sale online
(DreamHack & Akamai)
A 2020 survey conducted by DreamHack and Akamai among 1,200 gamers revealed that 52% of the respondents have had at least one of their accounts hacked, and 70% have come across hacked accounts being sold online.
In its 2022 State of the Internet (SOTI) report, Gaming Respawned, Akamai further shared that it had tracked 821,648,208 web application attacks in the gaming industry from May 2021 to April 2022, representing an annual increase of 167%.
The vulnerability of gaming sites is compounded by the fact that gaming developers do not place sufficient emphasis on security; their primary concern is speed and quantity in releasing games.
Attacks that ACID’s cybersecurity for the gaming industry addresses
ACID Technologies’ cybersecurity solution for the gaming industry addresses a wide range of threats, including the following main ones:
- Web application and API attacks – according to Akamai, since January 2021, the top three web application attack vectors targeting gaming were LFI (Local File Inclusion) – 38%, SQL injection – 34%, and XSS (Cross Site Scripting) – 24%. The company further stated that since April 2022, web application and API (Application Programming Interface) attacks were the largest attack category, and continue to increase in volume.
- DDoS attacks can adversely affect gaming performance, or even prevent gamers from playing altogether. According to Akamai’s 2022 State of the Internet (SOTI) report, gaming is the industry most affected by this type of attack, incurring 37% of all global DDoS attacks, almost twice as many as in the financial services vertical.
- Malware and phishing attacks are often perpetrated together in the gaming industry, where gamers are tempted with an advantageous “cheat” and unwittingly install malware and ransomware. Inventory and characters can also be stolen through a phishing attack.
- Credential stuffing attacks – to give an idea of the extent of the problem, Akamai has revealed that in the 17 months ending in March 2019, hackers had carried out 12 billion credential stuffing attacks against gaming websites.
- Ransomware attacks – cybercriminals are known to put “hacks” and other virtual good up for sale. Unbeknownst to the gamers buying them, these are actually Trojan horses intended for ransomware.
The importance of cybersecurity for the gaming industry with respect to regulatory compliance
As gaming companies collect vast amounts of personal information and payment credentials, they are required to abide by strict regulations, including:
- Payment Card Industry Data Security Standard (PCI DSS), which applies to every business that stores, processes or transmits cardholder data.
- GDPR (General Data Protection Regulation) – a pan-European data protection law that requires organizations to manage data appropriately. Failure to comply with the GDPR places them at risk of heavy fines of up to 4% of their global annual turnover, or 20 million euro – the higher of the two.
Examples of gaming industry attacks that could have potentially been avoided with an effective cybersecurity solution
Examples of attacks highlighting the justification for implementing cybersecurity measures in the gaming industry are presented below.
- In June 2021, Infosecurity reported that hackers staged an attack against Electronic Arts (EA), a global leader in digital interactive entertainment headquartered in the USA. The attack was detected when the hackers published blog posts on underground hacking forums offering 780 GB of data for sale. The stolen data included the source code for FIFA 21 and code for its matchmaking server, as well as source code and tools for the Frostbite engine, which powers the popular game Battlefield, among other EA games.
- The hackers also gained access to proprietary EA frameworks and software development kits; however, it seems that they did not steal any of EA customers’ personal data.
- About two and half years earlier, in late December 2018, hackers targeted the popular role-playing game Town of Salem, which is streamed on the Amazon Twitch platform, and gained access to the entire player database. Forbes reported at the time that the breach impacted more than 7.6 million players, adding that the security firm DeHashed had disclosed that the total row count of that database was 8,388,894, and included some 7,633,234 unique email addresses. It further added that the compromised data also included usernames, IP addresses, game and forum activity, passwords and payment information. The perpetrators were unable to monetize the hack, as payments were handled by a third party; however, they could still use the data they had gained access to launch phishing attacks or sell it on the dark web.
The benefits of ACID’s cybersecurity for gaming companies
Gaming companies failing to protect themselves adequately from cybercrimes place themselves at risk of great financial loss – both directly, and as a result of fines due to non-compliance with regulations and standards. They are also at risk of great harm to their reputation.
ACID offers an exceptionally cost-effective solution for online gaming operators: It deploys clusters of bots and implements advanced AI algorithms in order to detect the first signs of an attack in the clear, deep and dark web, as well as in multiple other sources, as early as in its initial planning phase.
Once such signs are detected, ACID alerts the targeted company in real time, providing all the available information – including screenshots of threats detected on the dark web and deep web, which clients may be reluctant or incapable of accessing themselves. ACID continues to monitor the sources, using client-specific keywords in several languages, and provides updates with any additional data as it becomes available. While ACID continuously monitors a great number of sources, if the client wishes to include additional ones in the search, we are happy to oblige.
Additionally, ACID conducts widespread monitoring activities to detect any hacked accounts that may be offered for sale, indicating that a company has already been breached, to enable it to take appropriate action.
ACID’s state-of-the-art solution provides real-time alerts to cyberattacks waged against gaming companies, even as early as in their planning stage. The initial information provided, and the subsequent updates, enable the targeted companies to implement effective countermeasures, and maintain business continuity and profitability.