Blog, Events & News

Account Takeover in Online Gaming – Why Is It Happening?

By Netacea / 17th Apr 2020

Account takeover (ATO) attacks occur when a cyber attacker obtains personal information – namely usernames, passwords and email addresses – with the intent to illegally log in to a target account.

As the gaming industry continues to shift online, gaming account takeover (ATO) attacks are becoming an increasingly common – and costly – problem. Once the attacker has successfully accessed the account, they can carry out a range of malicious activities for their own gain. Posing as a real customer, they can fraudulently change account details, withdraw any funds and/or unique loyalty benefits, make online purchases, and even leverage the stolen account information they hold to access other accounts on different websites.

Given the devastation that can unfold following an attack, it is vital that gaming organisations recognise the importance of customer password security and the relevance of their bot management solution indirectly responding to the ATO threat. Understanding the impact of ATO attacks can limit the scope for customers falling victim to fraudulent activity while preventing significant financial and reputational damage to the organisation.

Attackers access credentials via the dark web and social media

Over the last two decades, society’s digital shift and it’s unremitting advancements have resulted in vast amounts of accumulated personal data and an increasing number of points of entry for cyber attackers to exploit and access that data.

So, where does all this data end up? The majority of the personally identifiable information acquired finds its way to the dark web, home to numerous lists of compiled credentials from years of data breaches carried out across all industries and all websites.

That being said, an ATO attack does not rely on access to highly sensitive user information for it to be successful. An attack can be instigated using scraps of information compiled with just a little bit of research to acquire a full name, an email address or date of birth. Most of this information is provided willingly by users on their social media accounts. A cyber attacker will simply search and locate the pieces of identifiable information (i.e name, email address), most of which can be found with minimal effort, and the takeover attempt can be constructed from there. Additionally, the average user age within online gaming is significantly lower than other gaming sub-verticals, heightening the risk of simplistic and recycled passwords across multiple accounts. When the more sensitive pieces of account information are easily deciphered, it opens the entire industry up to attack through an easily targetable consumer circle.

Why aren’t ATO attacks detected and stopped?

ATO attacks that are carried out using credential stuffing typically utilise automated bots to gain brute force entry into an account. Organisations with web-facing operations are savvy to automated threats and typically have some form of detection and mitigation software in place on their login pages, to identify real users from automated bots that are linked to ATO activity. Yet, every week there is a new breach or leak of private information from a recognisable company; so why are businesses that seem to have relevant security measures in place still experiencing ATO attacks?

In recent talks with one of the UK’s largest online sportsbooks, the organisation deduced their current security solution mitigates almost all ATO attacks, with an estimated ATO success rate of 0.03%; this is below the global average of 1-3%. While this is a low success rate, there are successful account takeovers nonetheless, and once an account has been breached it opens doors to further sinister activity.

The question as to why the aforementioned sportsbook had a smaller success rate percentage than average, can further be explained by the evolving sophistication of ATOs and their ability to evade secure solutions previously designed to identify and mitigate them.

It is not uncommon for malicious actors to hide ATO attacks behind surges of automated traffic, enabling the activity to remain undetected by many front-end solutions. Other fake user accounts are created and then logged in to successfully. Cyber attackers can manually or automatically carry out a small number of login attempts, using combinations of the information scraps gathered round the account, which if unsuccessful, can be followed up with another successful login using another fake account. This process can be repeated, hiding the malicious intent in a sea of positive looking traffic until the successful combination is found.

What impact do ATO attacks have on users and businesses?

The detrimental effects of an ATO attack go far beyond the financial costs of restoring account value and administrative time spent resetting passwords. Users will become increasingly frustrated and will lose trust in the organisation, with research by the Ponemon Institute revealing that nearly a third of consumers sought to terminate their relationship with a company following a data breach. In addition, damage to a business’ reputation is likely to diminish numbers of new users creating accounts in the future.

All of which affects a company’s bottom line. When there are fewer returning users spending money on your platform, and a decreasing number of new users joining and spending money, annual profit margins quickly take a hit.

Fake account creation associated with ATO can also leave your business vulnerable to other forms of sophisticated bot attacks, such as credential stuffing.

How to avoid and combat gaming account takeover (ATO) attacks

Due to the growing trend of sophisticated automated bot attacks Forrester, an expert analyst firm in the field of cybersecurity, highlights the importance of a having bot management strategy in place and predicts it will become the predominant form of application defence in the next 18 months.

Incorporating a specialist bot management tool that determines the intent of all web-facing traffic, enables gaming organisations to identify and prevent attacks. Tackling the evolving bot threats requires expertise beyond bolt-on bot management solutions, to effectively mitigate attempts to bypass traditional security measures such as WAFs and CDN bolt-ons.

Is your online gaming platform faced with an increasing amount of sophisticated automated bot attacks? Talk to the bot management experts at Netacea today to find out how we can help you stop gaming account takeover from occurring and how to mitigate threatening malicious bots.