Gaming boom puts gamers, firms in crosshairs of cybercriminals

On June 23, a Hyderabad-based gamer Siddhartha Anumula posted a thread on Twitter, detailing how he fell prey to a hacker on Sony's PlayStation Network (PSN). 

He was first logged out of his PSN account on June 17, following which the hacker proceeded to use the credit card saved on Anumula's account to buy games worth Rs 11,000. Sony subsequently suspended Anumula's account for chargebacks.

Anumula's angst is just an example. As the Indian gaming market grows, cyberattacks on gamers have become rampant. 

Three in four gamers in India have experienced some form of a cyberattack on their gaming account, according to a November report by security firm NortonLifeLock. The report added that four in every five gamers lost a little under Rs. 8000 on average due to these attacks.

“With the advent of real money games and more developers building in-app purchases into their gameplay and more transactions taking place within games themselves, there is a greater opportunity for criminals to capture high-value data like banking information and personal identifiers,” said Sidharth Pisharoti, regional vice president for content delivery network (CDN) Akamai Technologies’ India South East Asia, and Asia Pacific and Japan regions.

He noted that gaming apps today are “no different” from fintech and banking applications, which store personally identifiable information (PII) for transactions.

Media consumption habits have undergone a major shift after the pandemic. In August, market research firm ENV Media Analysts reported that major app and game distributors, including the Google Play and Apple App Store, saw a 50% jump in engagement over the past year. Around 62% of Indian gamers interviewed for the Norton survey also said they started online gaming during the pandemic.

Like most users, gamers might also be making them easy targets due to their behaviour online. Ritesh Chopra, director, sales and marketing, India and SAARC at NortonLifeLock, said that many gamers admit that they partake in “risky behaviours” online, like sharing personal information, repeating the same usernames and passwords and more.

Moreover, gamers aren’t the only ones who are under fire. Gaming companies have seen a significant increase in attacks too. Akamai’s Pisharoti said that the company had recorded a massive 340% year-on-year increase in attacks on the gaming industry last year. He said that “credential stuffing” and “bot attacks” jumped by 224%. 

Amit Sharma, chief technology officer, DreamSports, the parent company of fantasy gaming platform Dream11, also agreed that attacks had grown “in the last few years”. 

Credential stuffing is a type of hack where attackers use data obtained from one data breach to login to unrelated services. In bot attacks, hackers use automated web requests to defraud users, disrupt services and steal data. 

Akamai also noted that while distributed denial of service (DDoS) attack volumes dropped by 20%, the ones that occurred were still “massive” and disrupted communications of gameplay. In these attacks, hackers disrupt services by overwhelming their servers with automated traffic.

“We have seen an increasing number of cases where malicious agents are able to manipulate leaderboards and breach the all-important trust that is essential for the industry to thrive,” Pisharotti said. And while gamers disregard internet best practices in attempts to get ahead, Pisharotti noted that gaming firms often deprioritize security in the rush to launch new games.

Lastly, the growing interest in non-fungible tokens (NFTs) and blockchain gaming is another factor that makes targeting gamers lucrative. Chopra pointed out that there have been multiple cases of “game developers having their work copied without permission” and sold as NFTs. This process is known as “sleepminting”, and can also allow a fraudster to mint an NFT from the game developer's wallet and transfer it back to their own account without alerting them.

To be sure, gaming companies are taking measures to protect themselves too. 

Dream Sports said it has a security team that looks at application security, data security and cloud security. The company also has a bug bounty program and runs penetration tests frequently with help from cybersecurity companies. 

“Internal teams also work closely with our developers to ensure there are no vulnerabilities when things are going live. We also vet the tools thoroughly before using them,” said CTO Sharma. Regional language focused gaming platform Winzo also said that spending on cybersecurity is a “top priority” for the company.