Fraud Prevention

Fraud in Online Gaming: A Midyear Snapshot of 2021 Attack Trends

July 1, 20219 min Read

online gaming attack trends

Online gaming platforms experienced a surge in traffic last year when millions of homebound people used these platforms more often than ever before and for extended hours. Many new players, who had never previously explored the online gaming world, began frequenting these platforms, while many others used them to connect with others and make friends globally.

Fraudsters took advantage of the spike in traffic to blend-in with the good users. They hack in-game environments, register thousands of fake accounts to pocket sign-up bonuses, steal assets from compromised user accounts, inflate and abuse in-game economies and auction houses, fix matches, send spam, and execute phishing campaigns. These stolen goods and compromised accounts can then be sold to third parties and on grey market forums.

Attack levels continue to remain high

The global gaming market is projected to reach $287.1 billion by 2026 up from $167.9 billion in 2020. With the soaring popularity of online gaming, these platforms are likely to continue experiencing elevated traffic levels and an increase in business.

In 2020, the online gaming industry was under a constant siege, with more than a third of all traffic being fraudulent. As a result, the online gaming industry was the year's worst affected by fraud attacks. Although fraud dipped a bit at the beginning of 2021, the attacks were more distributed with less sustained account takeover and credential stuffing attempts and a more normalized attack pattern.

Use of mobile devices as a popular channel to access gaming platforms has further aggravated the situation by making them more vulnerable to attacks. This is because fraudsters can easily spoof mobile devices and evade detection. The overall attacks on mobile channels during the first quarter of 2021 rose to 32% from 19% in the last quarter of 2020, with a majority (97%) of the attacks being bot-driven.

Fraudsters time their attacks with peak traffic levels and usually attack during holidays and promotional giveaways such as free or discounted games are offered. These days witness a spike in attacks with hundreds of millions of attack events. Attack levels somewhat normalized at the beginning of 2021, however, the online gaming industry still remains highly targeted.

There are some clear fraud trends emerging from the attacks on the online gaming industry that the gaming platforms can learn from and protect their gaming environments. These include:

Human-driven fraud: Human-based attacks are on a rise. This underscores the role fraud farms play in disguising their identity amidst large volumes of legitimate players. With more players to hide among and more players to target, there was a rise in human fraud to facilitate in-game abuse in Q1, 2021.

The rise of the cyborgs: The increase in humans launching attacks speaks to the increasing relevance of the so-called 'cyborg' attacks, where fraudsters deploy a mix of bots and fraud farms to scale up their attacks with the least possible investments.

Malicious mobile traffic: In Q1 2021, the highest levels of fraud originated from mobile devices, due to an increased preference for mobiles as a gaming channel.

Attack rate tapered off: The year 2021 took off from where 2020 left. The suspicious traffic rate was over 33% at its peak in 2020 but reduced to 17% by the end of Q1, 2021.

Diverse attack types: Compared to 2020, which was dominated by account takeover attempts and login-based attacks, fraudsters diversified their attacks in 2021. There was a significant rise in the use of bots for dissemination of spam, in-game abuse, and gift card monetization.

Friendly fraud: Online gaming platforms provide youngsters an opportunity to learn how to code. However, many of them get easily tempted by the ability to cheat, level up, or make money in virtual game economies. Good users turned bad and can be some of the hardest to spot.

Social engineering: Gaming platforms have evolved into social networking hubs enabling players to engage with others and even find love. Fraudsters have lapped up this opportunity for social engineering and catfishing as players bond over gameplay, thereby increasing the threat of phishing and other types of scams.

Popularity manipulation: To manipulate the integrity of gaming platforms, fraudsters can artificially vote up certain user-generated games to make them more popular. They can also upvote (or downvote) videos or any in-game reviews mechanism.

Gaming fraudsters play to win

An ever-increasing traffic, heightened user engagement, and rising revenues have caught the fancy of burgeoning fraudsters. A number of previously law-abiding gamers have also begun to dabble in fraud. Fraudsters in the online gaming space are not the 'typical' criminals and 'aspiring' fraudsters start off with using simple bots to launch attacks at scale.

Seasoned attackers, however, target the gaming platforms ruthlessly to access valuable in-game digital items and currency for resale. Gaming fraudsters work around the clock and leverage an ecosystem of resources to hide amongst legitimate players. When they play, they play to win.

There are many ways fraudsters adopt to monetize their attacks. Some of the most common methods are:

Account takeovers: Fraudsters break into genuine accounts in order to steal and resell players’ hard-earned assets, or dormant accounts for in-game cheating. While the costs to deploy large-scale and highly disruptive account takeover attacks are as little as $15 per day, the profits are massive – fetching almost $3,000 for compromising accounts with valuable assets.

In-game abuse: As compared to ATO and fake accounts, fraudsters are more likely to leverage a combination of bots and fraud farms for in-game abuse such as to disseminate spam, malicious content and to execute phishing campaigns. At its peak in early 2021, Arkose Labs network recorded over 12 million abuse attempts in one week.

Real-money trading: This refers to auction house abuse, economy inflation, and match-fixing. Fraudsters know players seek to gather as much wealth and experience in a game as fast as possible. Rewards are sold to players on the gray market. Some nefarious guilds make money by selling paid services to other players to carry them through the highest difficulty content for exclusive achievements.

Payments: Fraudsters target gift cards, game credits, and other player payment methods to execute payment fraud. In Q1 2021, nearly 1 of every 5 attacks targeted payment information. This quarter also saw the highest attack rate on payment workstreams with over half of payment traffic consisting of attacks. Online gaming arenas are a prime testing ground for stolen credit card details through microtransactions. Once tested, these valid details can be used for bigger ticket items elsewhere.

Fake new accounts: By creating multiple new accounts, fraudsters not only abuse new account bonuses but also use them to spam legitimate players or collude with other bad actors. These fake accounts can be resold for anywhere between $1 and $5 per 1,000 accounts, which explains the need to deploy bots to create new accounts at a massive scale to be able to make money. The Arkose Labs network detected more than 2.1 million daily attacks on registration at its peak during Q1, 2021.

Gaming industry remains under siege

As gaming platforms continue to remain on the radar of fraudsters, they must remain vigilant than ever before to be able to maintain a safe and trustworthy gaming ecosystem. Most user accounts are less secure and unlike financial accounts, the majority of gaming accounts don't feature 2FA, making them easy targets for theft of assets and abuse.

Some of the recent tactics that fraudsters use to expertly hide in plain sight include:

  • Following the volume of mobile users to attack on mobile.
  • Social engineering against users with active accounts.
  • Targeting dormant accounts with credential stuffing, appearing to be a more trustworthy account.
  • Bots mirroring the behaviors of streamers to look like highly engaged players.

Although the attacks against gaming platforms have descended from their peak during 2020, the challenge is far from over. As the gaming industry remains one of the most attacked by fraudsters, it is critical to stop fraudsters at the front door while enabling a good experience for genuine gamers. Gaming companies can not let their guards down, as in addition to established fraudsters, there are now 'regular' people – such as tech-savvy teenagers – also engaging in fraud, hacks, and manipulating in-game economies.

With the growing popularity of online gaming platforms, coordinated attacks and the so-called first-party fraud will also continue. Therefore, it becomes imperative that online gaming platforms put effective fraud defenses in place to stop fraudsters at the entry gates and prevent bad actors from entering than cleaning up the mess afterwards. They must monitor the entry points – account registration and logins – to ensure entry is granted only to authentic users.

Fortify the entry gates

Arkose Labs does not deny entry to any incoming user, for the simple reason that there may be potentially revenue-generating users among them. Instead, the Arkose Labs platform uses smart authentication and affords every user an opportunity to prove authenticity, and only stops suspicious actors for further scrutiny.

Based on the real-time risk assessment of every user, interactive challenges are presented that are fun to clear for authentic users but cause bots to fail. Persistent malicious users are required to spend additional time and resources trying to clear the challenges that keep increasing in numbers and complexity. This erodes the returns from the attack and also prevents fraudsters from making money from a myriad of downstream abuse they engage in after initially breaching defenses. As a result, online gaming platforms can protect their ecosystems and offer trustworthy gaming arenas to their players.

To learn how Arkose Labs helps businesses bankrupt the business model of fraud, book a demo now.