Deter Account Takeovers in Online Gaming

Overview

The global gaming industry rakes in billions of dollars annually. Using seamless onboarding, immersive digital avatars and the ability to make in-game purchases, operators enhance their platforms to attract new users. In fact, video games revenue, which rose 32% between 2019 and 2021, will rise at an 8.4% CAGR through 2026, creating a US$321bn industry. An increased user base, and a proportionate increase in revenue, means the gaming industry is a lucrative target for fraudsters.

Among the many ways bad actors exploit gaming platforms is new account fraud – creating fake accounts – which they use to pocket the sign-up bonus offered by most gaming platforms to attract new customers. Another popular attack type is account takeover (ATO), which allows attackers to monetize compromised digital accounts in several ways: by cheating other players, skewing the results of the game, or by laundering money, for example.

Players use a variety of devices, and gaming operators must build platforms that not only offer immersive gaming experience but also deter fraud and comply with prevailing regulations. Understanding the economics of account takeover attacks can be helpful in defeating these attempts and providing a safe digital gaming environment.

How Much Money is Made by Attacking Gaming Accounts?

The Economics of Account Takeover Attacks, explains the factors that affect the monetization potential of gaming accounts. It reveals how bad actors make money from compromised gaming accounts and highlights how a well-protected gaming platform increases the attackers’ costs and deters account takeover attacks.

While a premium account promises higher returns, bulk accounts carry lower monetization potential. Other factors that affect the returns from an account takeover attack include:

Hit rate

The number of valid sets of credentials that can be harvested from a credential stuffing attack is called hit rate. For bulk accounts, the hit rate is around 5% whereas for premium gaming accounts it is 0.0075%. The hit rate is lower for gaming accounts, since the majority of players are young users and the chances of their credentials being breached from other websites is much lower. Therefore, for an average quality combo list with 1 million credentials, attackers can harvest around 50,000 bulk accounts and 75 premium accounts.

Reputation of the attacker

Bad actors take advantage of the marketplace on the dark web to sell off the harvested credentials. A seller’s reputation plays a big role in determining how much of their inventory they can sell. New sellers, or those with a low reputation, can expect to sell up to 20% of their inventories. Experienced resellers, or those with a medium reputation, may sell up to 40% of their inventory, whereas long-term proven resellers with a good reputation may sell at least 60% of their inventory.

Market value of the compromised accounts

The market price of a user’s credential varies by industry. For bulk gaming accounts, the average revenue per credential is $1.70 which can amount to $51,000 for an attacker with good reputation, $34,000 and $17,000 for attackers with medium and low reputations, respectively. Similarly, for premium gaming accounts, the average revenue per credential is around $648, which can fetch $29,160 for a reseller of good reputation, $19,440 for medium reputation, and $9,720 for low reputation.

A website’s level of protection

Less-protected or unprotected websites are easy targets for attackers; they don’t need to have superior technical skills, and they don't need to create an attack infrastructure. On the other hand, highly protected websites may block or challenge close to 100% of the attack traffic, increasing the need for the attacker to resubmit requests, extending the timeline to completion, and raising the cost of the attack. Less-patient or skilled attackers are likely to give up an attack before it completes and move on to an easier target.

How Much Does It Cost to Attack a Gaming Website?

The Economics of Account Takeover Attacks reveals the monthly and annual costs of attacking a single and multiple (5) gaming websites with various levels of protection namely: with a WAF, a bot management solution, and an advanced bot solution such as Arkose Protect™.

The revenue potential for attackers of varying reputations for gaming platforms protected with various levels of security solutions are described in the table below:

Website protected with WAF

Number of sites attacked	1	2	3	4	5
Total cost (yearly)	$624	$624	$624	$624	$624
Potential Income (Bulk Gaming Accounts):
Low reputation	$16,376	$33,376	$50,376	$67,376	$84,376
Medium reputation	$33,376	$67,376	$101,376	$135,376	$169,376
High reputation	$50,376	$101,376	$152,376	$203,376	$254,376
Potential Income (Premium Gaming Accounts):
Low reputation	$9,096	$18,816	$28,536	$38,256	$47,976
Medium reputation	$18,816	$38,256	$57,696	$77,136	$96,576
High reputation	$28,536	$57,696	$86,856	$116,016	$145,176

Website protected with a bot management solution

Number of sites attacked	1	2	3	4	5
Total cost (yearly)	$9,000	$9,600	$10,200	$10,800	$11,400
Potential Income (Bulk Gaming Accounts):
Low reputation	$8,000	$24,400	$40,800	$57,200	$73,600
Medium reputation	$25,000	$58,400	$91,800	$125,200	$158,600
High reputation	$42,000	$92,400	$142,800	$193,200	$243,600
Potential Income (Premium Gaming Accounts):
Low reputation	$720	$9,840	$18,960	$28,080	$37,200
Medium reputation	$10,440	$29,280	$48,120	$66,960	$85,800
High reputation	$20,160	$48,720	$77,280	$105,840	$134,400

Websites protected with Arkose Protect™

Number of sites attacked	1	2	3	4	5
Total cost (yearly)	$18,080	$27,760	$37,440	$47,120	$56,800
Potential Income (Bulk Gaming Accounts):
Low reputation	-$1,080	$6,240	$13,560	$20,880	$28,200
Medium reputation	$15,920	$40,240	$64,560	$88,880	$113,200
High reputation	$32,920	$74,240	$115,560	$156,880	$198,200
Potential Income (Premium Gaming Accounts):
Low reputation	-$8,360	-$8,320	-$8,280	-$8,240	-$8,200
Medium reputation	$1,360	$11,120	$20,880	$30,640	$40,400
High reputation	$11,080	$30,560	$50,040	$69,520	$89,000

Increasing Costs, Decreasing ROI, Force Attackers to Give Up

Gaming platforms using Arkose Protect™ can deter account takeover attempts by making them costlier and increasing the time to complete. Attackers will need to create an elaborate infrastructure, possibly consisting of a laptop orchestrating a set of virtual machines (VM) deployed in a cloud infrastructure generating the attack traffic load balanced through a large set of residential and mobile proxies. The software running on the VM may be an advanced script written in Python or similar languages, or run a full-blown headless browser able to execute JavaScript and mimic more advanced behavior like mouse movement or key presses.

In addition, attackers must invest in a costly proxy service leveraging mobile and residential ISP IP addresses, as a basic proxy service would no longer suffice. Their hosting costs will double (about $100 per month) per site they attack to manage the more complex workflow of solving the Arkose Protect™ challenges. Further, they must integrate the botnet with a CAPTCHA-solving service, which costs about $2.12 per 1,000 requests.

Attackers will spend significantly more time to complete a credential stuffing attack, making the attack more noticeable and prone to mitigation, which increases the number of retries required. Considering that the CAPTCHA solving service requires four tries for every successful validation, a million credentials would need four million requests to validate, costing about $8,480. Therefore, the total annual cost to attack a single website protected with Arkose Protect™ is more than $18,000.

To avoid detection, attackers must revisit and devise a more-sophisticated attack strategy to ensure:

The traffic is spread through a large number of nodes, seeing a botnet consisting of over 10,000 nodes spanning several continents is common;

The traffic looks like it is coming from residential and mobile ISP, since traffic coming from data centers is generally considered more suspicious;

The attack traffic mimics the legitimate traffic as much as possible. For example, if users are expected to follow a specific path before reaching a resource, such as first visiting the site’s home page, then accessing the login page, and eventually logging in, the attack traffic must follow a similar workflow;

The expected data is sent with some variety in the fingerprint, yet guaranteeing that the fingerprint is valid to avoid being detected. This is because bot or fraud detection products typically collect a fingerprint client-side consisting of device and browser characteristics and user preferences, which is then evaluated to differentiate bots from humans or uniquely identify devices.

Failed attempts are resubmitted as a large majority of the attack traffic will be successfully detected and blocked or challenged. This increases the time to complete the attack.

Conclusion

Global gaming brands trust Arkose Labs for long-term protection of their platforms and consumers’ digital accounts, while preserving the user experience they are known for. Arkose Protect™ is a smart bot management solution that renders the attacks financially less lucrative by increasing the cost, effort, and the time taken to complete the attack, thereby forcing bad actors to give up and move on.

Book a Meeting

Meet with a fraud and account security expert

Request a customized demo to learn more.

REQUEST A DEMO CLOSE

Bad Bots and Beyond: 2023 State of the Threat

SOLUTION BRIEF

Stop Account Takeovers (ATO) on Online Gaming Accounts with Arkose Protect™