Keeping games secure is like a battle royale | Akamai


Security threats in games are at an all-time high with a common form of attack up 94% in the past year, according to a new blog post — the first in a series — by Tricia Howard, a cybersecurity researcher at Akamai.

The games industry is arguably one of the most influential industries of our time, the company noted. With 2.58 billion video gamers around the world and $183.9 billion in revenues in 2023, the industry is only going to grow as each generation becomes more reliant on technology, Akamai said.

Over a period of 18 months from January 2023 to June 2024, Akamai observed that in four of the last 18 months, there were more than 25 billion Layer 7 distributed-denial-of-service attacks during that single month. The Layer 7 DDoS attacks are up 94% year over year.

One of the most interesting parts of the games industry is its unique security position — there are cyber land mines at every turn both for the players and the developers. The average gamer is more technologically savvy than most consumers in other industries, which means an “insider threat” in the games industry can come from inside the network or from inside your digital reality.


Lil Snack & GamesBeat

GamesBeat is excited to partner with Lil Snack to have customized games just for our audience! We know as gamers ourselves, this is an exciting way to engage through play with the GamesBeat content you have already come to love. Start playing games now!


This industry also has a highly unique prevalent threat actor profile: the troublemaker. A streamer says something they don’t like? They’ll build a bot to take them offline. A troublemaker can also build trust by pretending to be an ally in the game, and then deliver malicious payloads or URLs through the chat feature.

The good, the bad, and the ugly of a technologically savvy demographic

The industry is appreciative of openness and collaboration among players — and it has the technological mindset to match, which, by its nature, is antithetical to security’s plight. Some behaviors viewed as suspicious or even malicious in the security sphere are not only commonplace in the games industry, but they’re also embraced and encouraged; for example, modding is integral to the culture of games and botting is considered part of gameplay in some scenarios.

The security community knows all too well that the same tactics, techniques, and procedures that give the community its charm can also be used for malice. There is an overlap in the Venn diagram of people interested in games and those with technical know-how, which creates opportunities for both rule breaking and technical discoveries.

It also means that attackers’ goals can be different, and those differences influence attack trends. Where else than in the world of games can you bot for currency in two different realms? You could even do it at the same time if you wanted to.

Looting on- and offline

On top of the player vs. player cyber concerns, the games industry still has to deal with all the other security challenges facing the world. The fiduciary-fueled attackers follow the money, and this industry might as well advertise itself with neon dollar signs, Akamai said.

Cyber threats are not always technical (as we well know!) and nefarious behavior isn’t exclusive to attackers. Some mobile game ad targeting could be seen as malicious, or even unethical, though not illegal. But, of course, that describes advertising in general; it’s not specific to the games industry. Regardless of their intent, the targeted ads affect the spending habits of players, which, in turn, affect where the threat actors head next.

Subscriptions

Game publishers can expect to dole out millions of dollars to create a triple-A title — and that cost trickles down to the consumer. The jump from $60 to $70 per title is not insignificant, and can affect a budget-conscious gamers’ decision on when (or if) to buy a game outright, especially with the multitude of subscription services available.

As in similar media genres, subscription services are growing in the gaming world. The sheer number of games on the market makes it financially unfeasible to purchase them all. Including mobile options, there are more than a dozen gaming subscription services available today, all fighting for a piece of that $11.7 billion dollar pie (Midia).

If there are more subscription services, there are more user accounts, and there are more opportunities for credential stuffing or account abuse. And with more brands to impersonate, there is more content for threat actors to mimic for phishing campaigns or other scams.

Subscription fatigue is real, and it gets costly. There’s also the issue of physical or virtual storage space that must be accounted for.

Layer 7 DDoS attacks climb the leaderboard

January through March 2023 experienced the lowest number of assaults on Layer 7, with less than 15 billion monthly attacks each. The upward trajectory of this vector is wild: The dip in February 2024 was the lowest number of monthly attacks in 2024 so far, at more than 19 billion — which means that the lowest number of monthly attacks in 2024 to date is still higher than the number of attacks in January, February, March, and April of 2023.

The Asia-Pacific and Japan (APJ) region had the highest global revenue for the games industry in 2023 (at $85.8 billion) and the 1.79 billion players in that region. This year, the region also had the most Layer 7 DDoS attacks with 187 billion attacks in the last 18 months.

Asia Pacific is getting hit with the most DDoS attacks when it comes to gaming.

Bots are as prevalent in games as they are in other industries such as finance. But the aim of the botnet author may be different. The type of bot and the time of year for the attacks may also be relevant. Between January and June, bot requests saw a 391% growth from Q1 2023 to Q1 2024. They met that mark early — 2024 started with a record number of bot requests in the games industry: 147 billion.

June gave January a run for its money (145 billion), more than tripling the amount in June 2023. To put those numbers into perspective: For the entire observed period, the Europe, Middle East, and Africa (EMEA) region only saw 59 billion bot requests.

Bot requests by month.

Since the Steam Summer Sale happens every June and July, it is likely these two months will continue to see gobs of bot traffic. This theory is supported by the mimicked trend for the months of December 2023 and January 2024 — Steam Winter Sale time. This theory is also supported by the fact that the most bot requests originated from North America — 845 billion, to be exact.

These two periods (June/July and December/January) tend to show increased online activity during heavy spending seasons, making them lucrative times for attackers to pounce. The gamers themselves, as well as the game companies, are especially under digital siege during those periods.

Web application firewall attacks

Monthly WAF attacks in gaming.

Web attacks in games grew by 94% from Q1 2023 to Q1 2024. The most steady increase was in web application firewall (WAF) attacks. After the dramatic drop in May 2023, you could draw a decently consistent upward trend month over month. June 2024 is currently topping out at a billion.

May and June 2024 saw mind-boggling increases over last year, at 434% and 528%, respectively. Akamai expects these numbers to continue upward as application and API use increases.

Akamai also collects data on traditional web attacks including Structured Query Language injection [SQLi], command injection [CMDi], local file injection [LFI], cross-site scripting [XSS], remote file inclusion [RFI], and server-side request forgery [SSRF]. The stats show that SQLi was the largest web threat to the games industry during the observed period, with more than 700 million attacks. This isn’t exclusive to games companies, either — SQLi can put you at the top of the leaderboard as a gamer too.

Akamai tracks the top types of traditional web attack vectors in games.
Akamai tracks the top types of traditional web attack vectors in games.

LFI has been steadily increasing across industries in the past several years. It can lead to other web-based attacks (such as XSS) and, in some cases, can lead to remote code execution. It’s certainly something for a games publisher to look out for.

SQLi wasn’t just the leader, it was also the most staggeringly sporadic, which speaks to the nature of games.

Q1 2023 saw a rapid release of games that were part of the COVID-19 backlog. The continued push back of release dates as a result of the pandemic has increased the demand for these titles, which likely contributed to the severe increase of SQLi during that time. The sporadic nature of SQLi also could speak to differences in the attackers’ goals. North America sees orders of magnitude more web attacks

Gaming and other tech sectors often inspire real-world innovation on both the micro and macro levels. From cosplay to self-driving cars, luxuries and lifestyles from the digital realm have been brought to life thanks to the games community.

While Howard write the post, the data analysis was done by Camila Cabrero Camacho and other Akamai staff contributed as well.