As Gaming Moves to the Cloud, Web App Attacks Multiply

Originally published by Ericom here.

Written by Gerry Grealish, Ericom CMO.

The online gaming industry is huge and growing fast. Sales topped $193 billion in 2021 and are anticipated to reach almost $211 billion by 2025. Attacks on the industry are increasing as well, as cybercriminals, including organized crime actors, seek to grab a piece of the pie.

Attacks on gaming providers are primarily motivated by financial gains. As for other industries, attacks target web apps and APIs and include ransomware and DDoS attacks. In addition to now-standard criminal activity such as demanding payment to stop attacks and stealing user credentials and PII, cyberattacks on gaming apps provide criminals with myriad ways to manipulate games for fun and profit (for the cybercriminals, that is). For instance, stealing information on how a game works allows them to engineer cheats that they can then sell. For games that pay out in real money, tweaking the odds yields more direct profits.

Cybercriminals also may leverage the huge flows of funds to and from games to launder funds from illicit activities. According to the recent Akamai Gaming Respawned report,

“Criminals sign up for a game, create a profile, and then use the proceeds of their illegal activities or stolen credit cards to purchase as much in-game currency or as many accessories as they can, and then sell their account at a discounted rate to a second actor/victim, receiving clean money in return.”

Games “Win” the DDoS Race

Gaming platforms are the target of 37% of all DDoS attacks, nearly twice as many attacks as banking, the next most-attacked industry. These attacks, which are deployed via armies of bots, can take games offline entirely or slow performance to a crawl, exasperating users and causing support costs to skyrocket.

More sophisticated DDoS attacks can be used to selectively increase latency, providing a competitive advantage for some players – and seriously alienating those whose playing is unfairly slowed down. The result is significant damage to the gaming company’s brand, reduced customer loyalty and huge financial hits.

Web App Attacks are the Fastest Growing Threat Vector for Games

As games have moved to the cloud and cloud-facing application attack surfaces have expanded, attacks on gaming web apps have increased. Akamai reports that web application and API attacks on the gaming industry grew by 167% between May 2021 and April 2022, with over 820 billion attacks occurring during that time, including many using OWASP Top 10 techniques. Three times as many web app and API attacks on gaming apps were recorded in the first quarter of 2022 versus the same period in 2021, a strong indication that organized crime is likely involved.

Attacks on gaming industry web apps may leverage SQL injection (SQLi) to penetrate back-end databases and steal source code, enabling attackers to engineer cheats that they can sell. SQLi attacks can also be used to gather login credentials, PII and other user information that’s stored on servers.

Local File Inclusion (LFI) attacks, which have increased massively in the past year and now account for 38% of web app attacks targeting gaming, may be used to attack stored data including player details such as usernames, passwords and account info, as well as game details. LFI attacks can also enable criminals to penetrate the networks of gaming companies and manipulate in-game economies.

Cross site scripting (XSS) attacks are another significant vector, representing 24% of web app attacks targeting gaming. With resulting access to game code, criminals can manipulate odds for games that pay out in cash.

Addressing the Threats

As more applications move to the cloud, attacks on web apps and APIs are increasingly becoming cyber threat actors’ attack vector of choice for all industries. Gaming applications, however, are particularly vulnerable to these types of attacks due to the broader range of malicious activities threat actors can execute once they’ve gained access to gaming apps.

Instead of being limited to “standard” cybercrime activities such as credential theft, downloading confidential data and PII, and encrypting files for ransom, threat actors who attack gaming apps can alter game economies to generate ongoing revenue streams from illicit payouts; launder funds from other criminal activity; or benefit from robust, ongoing sales of cheats. As in the recent Rockstar GTA6 breach, they can also wreak havoc in more standard ways through breaches that expose work in progress or as-yet unreleased content – or threaten to do so.

For gaming in particular, because the risks are so great and the criminal possibilities are both numerous and attractive, protecting web application surfaces from attack is essential.

Protecting Web-Based Games from Attack

It’s important to find a Zero Trust solution that protects web-exposed apps and cloaks application surfaces from view. For exampling, “inverting” remote browser isolation (RBI) prevents threat actors from probing for vulnerabilities in app code or identifying API that might serve as attack vectors. It also protects games during the development process by securing remote access for third-party users, such as freelance animators and visual effects artists who work on their own personal devices.