When virtual mittens sell for thousands, of course gamers are ripe targets for cyber shenanigans
Guys, your security hygiene stinks
Akamai Edge World Players of games like Fortnite and Minecraft have emerged as juicy targets for cybercriminals.
It might sound ridiculous, but stealing and reselling weapon skins, loot boxes and entire levelled-up accounts can bring in big money. Last year, a particular rifle skin in CS:GO went for 60,000 real American dollars. A Legacy Ethereal Flames Wardog in Dota 2 was once sold for $38,000. The Playerunknown Set in PUBG currently retails for $271, and a competitive Hearthstone card set will set you back $200-$300.
Akamai's latest State of the Internet report focused on gaming as a microcosm of security issues. It found that attacks against game accounts were increasing, emerging as one of the easiest ways to make a quick buck.
Law enforcement will most likely ignore a complaint about a theft of a pair of digital gloves – no matter how cool they might look...
"We realised that over 17 months, we have seen 55 billion credential abuse attempts – 12 billion of that was against gaming customers," Martin McKeay, security advocate at Akamai and author of the report, told El Reg at the company's annual shindig in Las Vegas.
Most of the attacks against this particular user group came from Russia. Most popular target? Gamers in the US.
Cybercrims are targeting the group because they are usually lax with their security practices, and law enforcement will most likely ignore a complaint about a theft of a pair of digital gloves – no matter how cool they might look. "Right now they are going to go – virtual currency, virtual items, it's just not important enough," McKeay said. "That means it's a relatively low risk, high return."
Interestingly, crooks are not usually interested in bank details – even though payment information is normally attached to any game account.
"There is a lot of competition to do fraud, on the criminal side, that already has a solution from the point of view of the financial institutions," McKeay said. "They are aware of attempts at fraud, they know how to detect them, they know how to defend against them so you are dealing with a twofold problem of known defences that are good and effective, and a lot of competition.
"By going into gaming, you'd have very little competition, you'd have what is basically a green field. Going where defences are a lot less understood."
Stolen virtual items are often sold on internet forums – which means no defences of any kind, period.
Another reason is the fact that credential abuse is really cheap. According to McKeay, Snipr, a popular tool used for "credential stuffing" – checking hundreds of compromised credentials to see which ones will work – costs around $20.
Snipr has a logo, a helpdesk, a development lifecycle, and offers performance guarantees. The primary reason credential stuffing is so effective is people tend to reuse their passwords. Once one of the target's accounts has been compromised, all are compromised.
"You can get a dirty list where there are these huge groups of user names and passwords, but they haven't been checked – or you can pay more and you can get a list that people have already gone out and done credential abuse with, and found out that yes, on Fortnite, this user name and this password works to log in and doesn't require two-factor authentication," McKeay explained.
"You can go on the black market and you can buy these – and that means that there are multiple ways for criminals to make money off this."
According to Akamai, particularly valuable targets include Fortnite, Minecraft, Clash of Clans, Runesape, CS:GO, NBA 2019, League of Legends, Hearthstone, Dota 2, PUBG, and more recently, Apex Legends. Steam and Origin accounts are also in very high demand. ®