SHARED INTEL: ‘Credential stuffers’ leverage enduring flaws to prey on video game industry

By Byron V Acohido

The video game industry saw massive growth in 2020; nothing like a global pandemic to drive  people to spend more time than ever gaming.

Related: Credential stuffers exploit Covid 19 pandemic

Now comes a report from Akamai detailing the extent to which cyber criminals preyed on this development. The video game industry withstood nearly 11 billion credential stuffing attacks in 2020, a 224 percent spike over 2019. The attacks were steady and large, taking place at a rate of millions per day, with two days seeing spikes of more than 100 million.

This metric shows how bad actors redoubled their efforts to rip off consumers fixated on spending  real money on character enhancements and additional levels. The big takeaway, to me, is how they accomplished  this – by refining and advancing credential stuffing.

Credential stuffing is a type of advanced brute force hacking that leverages software automation to insert stolen usernames and passwords into web page forms, at scale, until the attacker gains access to a targeted account.

We know from a Microsoft report how hacking groups backed by Russia, China and Iran have aimed such attacks against hundreds of organizations involved in both the 2020 presidential race and U.S.-European policy debates. And credential stuffing was the methodology used by a Nigerian crime ring to plunder tens of millions in federal stimulus money and unemployment relief from citizens in several states and Canadian provinces.

Credential stuffing is worrisome. Some deep, structural flaws persist in the way we use our web browsers and mobile apps to access online accounts. I had the chance to discuss this with Akamai security researcher Steve Ragan, the author of the report. Here are excerpts of our discussion, edited for clarity and length.LW: Could you outline the sequence of steps bad actors are taking today to rip off gamers?

Ragan: It really depends on the goal of the criminal. Some will obtain stolen credentials, and then resell that account to people who want to play the games on it; or they might sell it to people who want to establish collections of gamer profiles related to a game, gaming company, or platform. There are some who obtain stolen credentials in order to harvest player information, which can then be collected and sold / traded.

Ragan

Data enrichment is a thing that happens in the criminal economy. When you have a victim that came from a phishing attack on the financial services industry for example, and then later you obtain that victim’s gaming details, if there is a match on email addresses, username, address, etc. That correlation is valuable, and it is collected.

Many attacks on gaming happen because of credential stuffing, which leads to direct ATO or Account Takeover. Some of the credential stuffing attacks can be traced back to existing data breaches or phishing. There are also direct attacks against a single gamer or a group of gamers to consider.

Usually the path looks like this:

•Someone compromises the account (ATO)

•The account is then added to a group of other similar accounts and processed for game inventory and data

•It’s then offered for sale in private groups and leveraged by the buyer

•Once it has been leveraged or further processed, it is then repackaged and sold on an open market, which is where the wider public can obtain access to it.

The end result is the same; once the criminal has what they want, and the compromised account is no longer needed, it’s sold or traded to others on various marketplaces.

Gaming companies also have to deal with bots, which are used to register accounts in order to do things like boosting – where a given gaming profile is artificially played in order to increase stats or help rank up another player.

However, botted accounts are not what you see on many of the criminal markets, because buyers want access to accounts where there are actual people associated with them. Using botted accounts gets them caught faster, as gaming companies routinely ban botted profiles, so using an account where a human element has been established is preferred.

If botted accounts are sold as player accounts, the seller would suffer hits to their reputation, which in some markets would see them kicked out and banned from selling. Botted accounts have their place in the criminal economy focused on gaming, but compromised human assets are still king.

LW: SQL injection persists, accounting for 59% of gaming industry attacks. Can you clarify where SQLi comes into play; in harvesting logons, mainly?

Ragan: SQLi against gaming companies is mostly geared towards exposing details housed in the database, which could be logins and passwords, or personal information. However, keep in mind this could also be other sensitive game-related elements, which the criminals could leverage.

Each gaming company is different with regard to what they house in their databases. You also see SQLi running alongside other web-based attacks such as LFI and XSS, which again are criminals trying to gain a foothold on the server, or expose configuration details.

LW: Why are web and mobile app servers in general, and gaming industry servers, in particular, still structurally vulnerable to SQLi?

Ragan: There isn’t a single answer here. It could be human error, it could be legacy code, or a combination of both. We’ve spoken about SQLi before, and as I said then, code complexity is a thing.

I think, pure speculation on my part, that because gaming infrastructure and development is such a complex machine, SQL vulnerabilities get harder to detect and remove.

LW: Can you make a general statement about the state of web and mobile app server design and implementation as they exist in commercial use today — from a security standpoint?

Ragan: Remember how the web was in the early 2000s? The problems we had back then? They’re the same problems that you see in mobile apps and APIs today. They may have different names and slightly different descriptions, but they’re the same issues. SQLi for example.

Consider for a moment the OWASP Top 10 and the OWASP API Top 10; both talk about broken authentication mechanisms, due to poor implementation and injection flaws. Overlaps like this are a real problem, and criminals will take advantage of these types of flaws on a regular basis.

LW: Are our web and mobile servers doomed to be forever susceptible to SQLi, LFI, XSS and RFI attacks?

Ragan: It certainly isn’t an easy problem to fix, and it certainly isn’t something that any vendor can claim to have a magic bullet for, or a one-size fits all solution. I want to be optimistic and say we will see these vulnerability types go away, but I have to be a realist.

I think these flaws will still be here in some capacity when my grandkids start exploring the web, and it isn’t because of doom, it’s because code is complex, and the more code you add to something, the larger the attack surface gets. Automated code/vulnerability scanners do a good job, but they’re not perfect. All it takes is for one bug to slip through the cracks.

The phrase ‘beware the power of a pebble’ applies here. For skaters, a pebble can ruin your day and send you crashing to the ground. For developers, one little overlooked bug, or a configuration error, has the power of a pebble.

LW: Credential stuffing really is the wild card accelerator, here, isn’t it? Can you frame how credential stuffing has risen to the fore as an attack tool/technique?

Ragan: Credential stuffing is almost a turnkey business at this point. It’s the ease and low barrier to entry that makes this attack type popular. Credential stuffing doesn’t really require a lot of complex knowledge, or any prerequisites for that matter; just a list, some configuration files, a few proxy servers, and an application to drive it all. For little to no investment on their part, criminals can automate attacks at scale and collect valid logins that can then be sold or traded on any number of markets.

Credential stuffing isn’t just a gaming problem either, it affects all industry segments. Consider the number of data breaches and password leaks that have hit the public over the last few years, and now consider the fact that those incidents are just the ones we know about.

Criminals have an almost unlimited number of usernames and passwords to use for their attacks, and they have gotten the process down to almost an exact science – they just load up the combination list, press start, and walk away.

LW: Is what Akamai tracked in 2020, with respect to video game industry attacks, a sign of more credential stuffing refinements and advancements yet to come?

Ragan: I believe so, yes. In 2020, criminals started to process their lists differently. In some cases, they even started exploring password augmentation and data enrichment, tracking victim credentials across multiple breaches in order to better hone their combination lists. This gives them a wider net to cast into the victim pool.

One of the things I’ve been speaking about over the last several years is the need to introduce MFA at all levels and enforce it, as it slows or sometimes stops credential stuffing attacks cold. Many criminals will simply move on from an account that has MFA active, as they don’t want to spend the time on it. There are some who will focus their efforts, but that is a different type of attack.

We’ve already seen an evolution of sorts over the last couple of years, as criminals now run checks against authentication APIs. What this enables them to do is offer lists of compromised accounts with details such as what games are available on the account, and if the account has MFA enabled. Buyers will look for accounts without MFA, and those that have the game they’re looking for.

LW: Could a paradigm shift to passwordless access be the silver bullet that stops credential stuffing?

Ragan: There is no such thing as a silver bullet. I’m all for passwordless authentication, but I know it isn’t something that will happen overnight, and I am skeptical of all-in-one/out-of-the-box offerings that seem to ignore the uniqueness of the organization, their users, and its environment.

Passwordless deployments represent a single point of failure as well, at least in some cases, and for many organizations in and outside of gaming, that isn’t a risk many will want to accept out of hand. This is in addition to implementation costs and upkeep, as well as training.

For example, think about magic links. You get an email, click the link, and you’re able to access the application or service. Those are passwordless authentication methods, but they require a solid IAM foundation to ensure the delivery channel is secure. You can’t brute force the codes used, as they’re generated at the time of request, but for many organizations magic links would require a lot of changes to the environment to implement.

Remember that powerful pebble we talked about? Exactly. Right now, I think the step forward in the interim is to implement something that leverages MFA (Duo, Google Authenticator), establishes trust at the device level (certificates), and combines that with an SSO. I use something similar at Akamai, and I like it. I rarely, if ever, need to use a password. But I think the future will leverage FIDO2 (WebAuthn &CTAP) heavily, and we’ll all be better for it.

LW: Anything else?

RAGAN: Security is hard. What our report has shown is that criminals are persistent and relentless. It doesn’t matter if they are targeting gaming, finance, retail, travel and hospitality, or the media industries, they go full-on and non-stop.

Good security is a balancing act and an evolution. It isn’t something you buy, it is something you develop and work on, something you grow. This is essential, because the criminals are constantly growing as well. They’re developing new techniques and methods constantly. What the criminals want to do is find the pebbles. It’s our job to sweep them off and clear the attack surface.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone