Why are gaming web application and API attacks rising?

Game over, man. The gaming industry is increasingly a target for hackers aiming to profit from stolen in-game items and other digital assets, cheats, and attacks against game developers, according to a recent report from Akamai.

Web application and API attacks targeting players’ accounts and gaming firms are up 167% from May 2021 to April 2022, with Akamai reporting it had tracked over 820 million such attacks. Since January 2021, the primary methods used were local file inclusion (LFI) at 38%, SQL injection (SQLi) at 34%, and cross-site scripting (XSS) at 24% of the attacks tracked by Akamai.

SQLi attacks may be intended to steal database information, including login credentials or personal information of players, useful for stealing digital goods like in-game items. LFI attacks, which rely on vulnerabilities that allow users to trick a server into running scripts, could expose both player data or game details that enable the development of cheats. Akamai researchers wrote that mobile and web-based games are particularly juicy targets because hackers may gain “access to usernames and passwords, account information, and anything game-related that resides on the server.”

Gamers are valuable. The Covid-19 pandemic juiced video gaming to all-time highs in the US, and micro-transactions within them are expected to be worth over $100 billion annually by 2026, according to a Business Research Company estimate cited in the Akamai report.

“If you look at some of the latest trends for attacks against the gaming industry, account takeover is a huge thing,” Tony Lauro, director of security technology and strategy at Akamai, told IT Brew. For example, the Fantasy Premier League football app introduced two-factor authentication in July 2022 in response to a surge of account hijacks.

“One, if you’re a highly elevated user, I can extract value…in-game currency or special loot items, etc.,” Lauro said. “But, two, there are users that have early access to games, and heck, some of these users might even be developer users who have access to source code that may not necessarily be accessible to the general public.”

DDoS attacks were up 5% in 2021 according to the Akamai report, across industries ranging from financial services to pharmaceuticals—with gaming in the lead at 37% of tracked DDoS traffic. Those range from large-scale volumetric attacks to smaller ones for competitive advantage.

Application layer attacks are “very specific against the actual game assets themselves,” Lauro said. “LFI specifically has gone up 400% year over year, growing 20%, 30% just in the last quarter. And to me, that is also indicative of the fact that even though DDoS attacks are happening, it’s my goal to get access to game server assets.”

Cloud gaming could be a boon for hackers. Lauro said that game streaming services may present new opportunities for cybercriminals. “A lot of it has to do with these new applications that enable the cloud environment, cloud gaming to function,” he told IT Brew, and not just because of the new software that makes the tech work.

“You’re also creating new clients of that cloud gaming infrastructure. So now we’re gaming on my mobile device,” Lauro added. “Or we’re gaming on a console, or maybe we’re gaming on Raspberry Pis…but the whole concept here is you’re expanding the attack surface, not just in the users that can be targeted.”—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @thetomzone on Twitter. Want to go encrypted? Ask Tom for his Signal.