The gaming industry continues to boom with esports events bringing in thousands, if not millions, of viewers and having extremely large prize pools for the competitors. However, this popularity can attract the wrong attention, and gaming organisations need technology in place to catch these bad actors whilst allowing bystanders to continue to use their product.
David Senecal is the vice president of product architecture and research at Arkose Labs, the cybersecurity company. With over 20 years of experience working with web performance, security, and enterprise networking technologies through various roles (support, integration, consulting, development, product management, and architecture) and a proven track record in designing and developing web security services, training, and products to help prevent fraud, bot, and application-layer attacks, Senecal offers his views on how fraud can be stopped in the online gaming and esports industry:
Esports is continually growing in popularity and has become a billion-dollar industry. According to one estimate, around 30 million people watched esports competitions last year. The top competitors earn millions of dollars per year. The esports economy includes many who gamble on the outcome of these events, as well as aspiring professional gamers who compete online.
Of course, where there is money and popular consumer attention, fraud will follow. Attackers target online gaming and esports in a variety of ways. As a relatively new industry, many gaming platforms are being inundated with sophisticated attacks and are struggling to keep up. Here’s what they’re dealing with, and how to fight back.
Celebrity players are in the crosshairs of account takeover attacks
Celebrity players have mastered the game so much that playing is a day job for them. They take part in competitions where they can earn hundreds of thousands of dollars. Celebrity players are often exposed to account takeover attempts, which could be used by fraudsters either to impersonate them or steal credits the players have available on their accounts. These credits can often be exchanged for virtual or flat currency. The username in this case may be fairly easy to get, the only thing that a potential fraudster needs to take over the account is the password. The most efficient way for an attacker to figure out the password is to set up a botnet to brute force an attack at the gaming platform login endpoint. The botnet script is generally sophisticated enough to mimic the fingerprint of a legitimate system, like a Playstation 4 or Xbox, in an effort to stay under the radar. The attack also will be spread evenly worldwide so as to blend into legitimate user traffic.
In this example, the reward can be very lucrative and attackers will spare no expense to compromise the account. Instead of using regular proxies hosted in data centres, which are easy to detect, attackers may opt for a solution that leverages a mix of residential and mobile IP addresses evenly spread across the world. The price sheet of a well-known proxy provider reveals the cost of a proxy service leveraging a mobile network is 2.7 times more expensive than a proxy hosted in a data centre.
Legitimate competitors create fake accounts to boost their reputations
Due to the pandemic, many international sports competitions took place remotely with organisers creating virtual experiences that even enabled fans to cheer for their favourite team or players. Fame is important, in the esports realm. And that fact can drive aberrant behaviours of the competitors themselves. In some cases, competitors take their ambition to be famous to whole new levels by creating fake accounts at scale so that later they can reuse the accounts in a scheme to boost the reputation of their real accounts.
In effect, these competitors are committing fraud to build their very own virtual team of fans and supporters. Of course, the real competitors still need to be proficient and capable to advance in a competition but these reputation-boosting schemes are often used to destabilize other teams in an attempt to gain an (unfair) advantage in a tournament.
Over the past 14 days alone, Arkose Labs threat researchers have observed consistent attack traffic originating from hosting providers and targeting gaming platforms with the bulk the traffic coming from Host1Plus, Hetzner Online, and M247 – providers where malicious traffic commonly originates. The spread and the scale of the attack is significant. On average, we see the attack traffic originating from over 3.2K unique data centers, leveraging over 61.5K unique IP addresses in over 150 countries. Proxies and VPNs, common ways to spread the attack worldwide, are used for 30 per cent of the attack traffic.
Using botnets in this type of situation represents the fastest way to create a massive number of fake accounts at scale within minutes.
Actionable insights: Beating the bots in the realm of online gaming
A surefire way exists to stop attackers’ threats or at least ensure attackers don’t target your gaming platform: eliminate the economic incentive behind fraud attacks.
To reduce your attractiveness as an attacker’s target, work backwards to figure out the various routes that attackers could take to make money from your platform. By understanding those ‘points of profit’, you can devise appropriate strategies and tactics to make it more difficult for the attackers to be successful at their schemes. Here’s an example of how that scenario would play out: you can make it more costly for the attackers to buy proxies by utilising robust IP intelligence. Robust device fingerprinting can then force attackers to invest in more software, which drives up their costs. You can trigger additional step-up measures for suspicious traffic. When detecting fraudulent traffic do not just use passive signals, as attackers get around those, and it leads to false positives for good users as well.
That last point is critically important. If you have defenses in place that stop all attacks, but they also catch all of your good users in its snare, then it is pointless. The key is to have the greatest resilience to attacks with the least disruption to good users. This means using an AI-powered platform performs smart but invisible risk assessments results in a frictionless experience for good users, whilst being impossible for fraudsters to profitably break the security defenses.
If this is coupled with an effective challenge-response mechanism that can stop even the most advanced bots in order to test potentially suspicious traffic, you can be reasonably assured your platform is protected from bad actors while the real gamers can enjoy it.