When virtual mittens sell for thousands, of course gamers are ripe targets for cyber shenanigans

Guys, your security hygiene stinks

27 Reg comments Got Tips?

Akamai Edge World Players of games like Fortnite and Minecraft have emerged as juicy targets for cybercriminals.

It might sound ridiculous, but stealing and reselling weapon skins, loot boxes and entire levelled-up accounts can bring in big money. Last year, a particular rifle skin in CS:GO went for 60,000 real American dollars. A Legacy Ethereal Flames Wardog in Dota 2 was once sold for $38,000. The Playerunknown Set in PUBG currently retails for $271, and a competitive Hearthstone card set will set you back $200-$300.

Akamai's latest State of the Internet report focused on gaming as a microcosm of security issues. It found that attacks against game accounts were increasing, emerging as one of the easiest ways to make a quick buck.

Law enforcement will most likely ignore a complaint about a theft of a pair of digital gloves – no matter how cool they might look...

"We realised that over 17 months, we have seen 55 billion credential abuse attempts – 12 billion of that was against gaming customers," Martin McKeay, security advocate at Akamai and author of the report, told El Reg at the company's annual shindig in Las Vegas.

Most of the attacks against this particular user group came from Russia. Most popular target? Gamers in the US.

Cybercrims are targeting the group because they are usually lax with their security practices, and law enforcement will most likely ignore a complaint about a theft of a pair of digital gloves – no matter how cool they might look. "Right now they are going to go – virtual currency, virtual items, it's just not important enough," McKeay said. "That means it's a relatively low risk, high return."

Interestingly, crooks are not usually interested in bank details – even though payment information is normally attached to any game account.

"There is a lot of competition to do fraud, on the criminal side, that already has a solution from the point of view of the financial institutions," McKeay said. "They are aware of attempts at fraud, they know how to detect them, they know how to defend against them so you are dealing with a twofold problem of known defences that are good and effective, and a lot of competition.

"By going into gaming, you'd have very little competition, you'd have what is basically a green field. Going where defences are a lot less understood."

Stolen virtual items are often sold on internet forums – which means no defences of any kind, period.

Another reason is the fact that credential abuse is really cheap. According to McKeay, Snipr, a popular tool used for "credential stuffing" – checking hundreds of compromised credentials to see which ones will work – costs around $20.

Snipr has a logo, a helpdesk, a development lifecycle, and offers performance guarantees. The primary reason credential stuffing is so effective is people tend to reuse their passwords. Once one of the target's accounts has been compromised, all are compromised.

"You can get a dirty list where there are these huge groups of user names and passwords, but they haven't been checked – or you can pay more and you can get a list that people have already gone out and done credential abuse with, and found out that yes, on Fortnite, this user name and this password works to log in and doesn't require two-factor authentication," McKeay explained.

"You can go on the black market and you can buy these – and that means that there are multiple ways for criminals to make money off this."

According to Akamai, particularly valuable targets include Fortnite, Minecraft, Clash of Clans, Runesape, CS:GO, NBA 2019, League of Legends, Hearthstone, Dota 2, PUBG, and more recently, Apex Legends. Steam and Origin accounts are also in very high demand. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Keep Reading

There are DDoS attacks, then there's this 809 million packet-per-second tsunami Akamai says it just caught

Bank on the receiving end of massive 418Gbps traffic barrage

Stuffing nonsense: Persistent cyberpunks are pummelling banks' public APIs, warns Akamai

Security biz clocked 55 million malicious login attempts on a client

Watch your MANRS: Akamai, Amazon, Netflix, Microsoft, Google, and pals join internet routing security effort

Filtering, anti-spoofing, coordination, validation to prevent crooks, spies hijacking victims' connections

DIY with Akamai: What to do when no one sells the servers you need? You build your own

Akamai Edge World If it looks like a hyperscaler, swims like a hyperscaler...

Akamai CEO: Playing games from the cloud? Seems too expensive to be viable right now

Akamai Edge World 'It is something we are interested in … but the economic model hasn’t worked out yet'

Akamai on dragging 'em kicking and streaming to the edge: They might be public cloud giants, but we're, er, vids in

Akamai Edge World CEO Tom Leighton pitches CDNs for enterprise

Dear hackers: If you try to pwn a website for phishing, make sure it's not the personal domain of a senior Akamai security researcher

Exclusive Crooks fail to hijack infosec bloke's site to dress it up as a legit Euro bank login page

Crime doesn't pay? Crime doesn't do secure coding, either: Akamai bug-hunters find hijack hole in bank phishing kit

Exclusive Absolutely criminal behavior – unrestricted file upload, really?

Biting the hand that feeds IT © 1998–2020