- SolutionsUSE CASES
Protect users’ accounts
Slash fraud losses
Prevent spam and bots
International Revenue Share Fraud
Stop fake account registrations
Stop malicious scraping
Secure API traffic
Banking & fintech accounts
reCAPTCHA Alternative: Why 10 companies switched from reCAPTCHA to Arkose Labs to win against bots.
Bad Bots and Beyond: 2023 State of the Threat
With Arkose Labs’ 2023 State of the Threat Report, you will find extensive information and best practices around
- ProductsPRODUCTS
Stop bot attacks by driving up adversarial effort and cost
Assess email risk at bot scale
Detect and block reverse-proxy phishing attacks
Unique, customizable & performance improvement challenges
WHY ARKOSE LABSSabotage attacker’s ROI
Industry-first SLA guarantee
Industry-first SLA guarantee
Industry-first SLA guarantee
SERVICES & SUPPORTProfessional services expertise
Fast, reliable support
Flexible open platform
- Industries
- Resources
View all Arkose Labs content
Read our thought leadership blogs
Expert Guide to Account & Identity Fraud
Customer success stories
Fraud prevention guides
Learn how Arkose Labs prevents fraud
Videos from the Arkose Labs team
Insights from industry experts
Data-driven research reports
Fraud thought leadership
- Company
- Customers
How Much Money is Made by Attacking Gaming Accounts?
The Economics of Account Takeover Attacks, explains the factors that affect the monetization potential of gaming accounts. It reveals how bad actors make money from compromised gaming accounts and highlights how a well-protected gaming platform increases the attackers’ costs and deters account takeover attacks.
While a premium account promises higher returns, bulk accounts carry lower monetization potential. Other factors that affect the returns from an account takeover attack include:
Hit rate
The number of valid sets of credentials that can be harvested from a credential stuffing attack is called hit rate. For bulk accounts, the hit rate is around 5% whereas for premium gaming accounts it is 0.0075%. The hit rate is lower for gaming accounts, since the majority of players are young users and the chances of their credentials being breached from other websites is much lower. Therefore, for an average quality combo list with 1 million credentials, attackers can harvest around 50,000 bulk accounts and 75 premium accounts.
Reputation of the attacker
Bad actors take advantage of the marketplace on the dark web to sell off the harvested credentials. A seller’s reputation plays a big role in determining how much of their inventory they can sell. New sellers, or those with a low reputation, can expect to sell up to 20% of their inventories. Experienced resellers, or those with a medium reputation, may sell up to 40% of their inventory, whereas long-term proven resellers with a good reputation may sell at least 60% of their inventory.
Market value of the compromised accounts
The market price of a user’s credential varies by industry. For bulk gaming accounts, the average revenue per credential is $1.70 which can amount to $51,000 for an attacker with good reputation, $34,000 and $17,000 for attackers with medium and low reputations, respectively. Similarly, for premium gaming accounts, the average revenue per credential is around $648, which can fetch $29,160 for a reseller of good reputation, $19,440 for medium reputation, and $9,720 for low reputation.
A website’s level of protection
Less-protected or unprotected websites are easy targets for attackers; they don’t need to have superior technical skills, and they don't need to create an attack infrastructure. On the other hand, highly protected websites may block or challenge close to 100% of the attack traffic, increasing the need for the attacker to resubmit requests, extending the timeline to completion, and raising the cost of the attack. Less-patient or skilled attackers are likely to give up an attack before it completes and move on to an easier target.
How Much Does It Cost to Attack a Gaming Website?
The Economics of Account Takeover Attacks reveals the monthly and annual costs of attacking a single and multiple (5) gaming websites with various levels of protection namely: with a WAF, a bot management solution, and an advanced bot solution such as Arkose Protect™.
The revenue potential for attackers of varying reputations for gaming platforms protected with various levels of security solutions are described in the table below:
Website protected with WAF
Number of sites attacked | 1 | 2 | 3 | 4 | 5 |
Total cost (yearly) | $624 | $624 | $624 | $624 | $624 |
Potential Income (Bulk Gaming Accounts): | |||||
Low reputation | $16,376 | $33,376 | $50,376 | $67,376 | $84,376 |
Medium reputation | $33,376 | $67,376 | $101,376 | $135,376 | $169,376 |
High reputation | $50,376 | $101,376 | $152,376 | $203,376 | $254,376 |
Potential Income (Premium Gaming Accounts): | |||||
Low reputation | $9,096 | $18,816 | $28,536 | $38,256 | $47,976 |
Medium reputation | $18,816 | $38,256 | $57,696 | $77,136 | $96,576 |
High reputation | $28,536 | $57,696 | $86,856 | $116,016 | $145,176 |
Website protected with a bot management solution
Number of sites attacked | 1 | 2 | 3 | 4 | 5 |
Total cost (yearly) | $9,000 | $9,600 | $10,200 | $10,800 | $11,400 |
Potential Income (Bulk Gaming Accounts): | |||||
Low reputation | $8,000 | $24,400 | $40,800 | $57,200 | $73,600 |
Medium reputation | $25,000 | $58,400 | $91,800 | $125,200 | $158,600 |
High reputation | $42,000 | $92,400 | $142,800 | $193,200 | $243,600 |
Potential Income (Premium Gaming Accounts): | |||||
Low reputation | $720 | $9,840 | $18,960 | $28,080 | $37,200 |
Medium reputation | $10,440 | $29,280 | $48,120 | $66,960 | $85,800 |
High reputation | $20,160 | $48,720 | $77,280 | $105,840 | $134,400 |
Websites protected with Arkose Protect™
Number of sites attacked | 1 | 2 | 3 | 4 | 5 |
Total cost (yearly) | $18,080 | $27,760 | $37,440 | $47,120 | $56,800 |
Potential Income (Bulk Gaming Accounts): | |||||
Low reputation | -$1,080 | $6,240 | $13,560 | $20,880 | $28,200 |
Medium reputation | $15,920 | $40,240 | $64,560 | $88,880 | $113,200 |
High reputation | $32,920 | $74,240 | $115,560 | $156,880 | $198,200 |
Potential Income (Premium Gaming Accounts): | |||||
Low reputation | -$8,360 | -$8,320 | -$8,280 | -$8,240 | -$8,200 |
Medium reputation | $1,360 | $11,120 | $20,880 | $30,640 | $40,400 |
High reputation | $11,080 | $30,560 | $50,040 | $69,520 | $89,000 |
Increasing Costs, Decreasing ROI, Force Attackers to Give Up
Gaming platforms using Arkose Protect™ can deter account takeover attempts by making them costlier and increasing the time to complete. Attackers will need to create an elaborate infrastructure, possibly consisting of a laptop orchestrating a set of virtual machines (VM) deployed in a cloud infrastructure generating the attack traffic load balanced through a large set of residential and mobile proxies. The software running on the VM may be an advanced script written in Python or similar languages, or run a full-blown headless browser able to execute JavaScript and mimic more advanced behavior like mouse movement or key presses.
In addition, attackers must invest in a costly proxy service leveraging mobile and residential ISP IP addresses, as a basic proxy service would no longer suffice. Their hosting costs will double (about $100 per month) per site they attack to manage the more complex workflow of solving the Arkose Protect™ challenges. Further, they must integrate the botnet with a CAPTCHA-solving service, which costs about $2.12 per 1,000 requests.
Attackers will spend significantly more time to complete a credential stuffing attack, making the attack more noticeable and prone to mitigation, which increases the number of retries required. Considering that the CAPTCHA solving service requires four tries for every successful validation, a million credentials would need four million requests to validate, costing about $8,480. Therefore, the total annual cost to attack a single website protected with Arkose Protect™ is more than $18,000.
To avoid detection, attackers must revisit and devise a more-sophisticated attack strategy to ensure:
The traffic is spread through a large number of nodes, seeing a botnet consisting of over 10,000 nodes spanning several continents is common;
The traffic looks like it is coming from residential and mobile ISP, since traffic coming from data centers is generally considered more suspicious;
The attack traffic mimics the legitimate traffic as much as possible. For example, if users are expected to follow a specific path before reaching a resource, such as first visiting the site’s home page, then accessing the login page, and eventually logging in, the attack traffic must follow a similar workflow;
The expected data is sent with some variety in the fingerprint, yet guaranteeing that the fingerprint is valid to avoid being detected. This is because bot or fraud detection products typically collect a fingerprint client-side consisting of device and browser characteristics and user preferences, which is then evaluated to differentiate bots from humans or uniquely identify devices.
Failed attempts are resubmitted as a large majority of the attack traffic will be successfully detected and blocked or challenged. This increases the time to complete the attack.
Conclusion
Global gaming brands trust Arkose Labs for long-term protection of their platforms and consumers’ digital accounts, while preserving the user experience they are known for. Arkose Protect™ is a smart bot management solution that renders the attacks financially less lucrative by increasing the cost, effort, and the time taken to complete the attack, thereby forcing bad actors to give up and move on.
Book a Meeting
Meet with a fraud and account security expert