Stolen employee credentials put major gaming companies at risk

Amer Owaida, security writer at ESET highlights that it’s hardly fun and games for top gaming companies and their customers as half a million employee credentials turn up for sale on the dark web.

More than 500,000 login credentials linked to the employees of 25 leading game publishers have been found for sale on dark web bazaars, according to a report by threat intelligence company KELA. Threat actors have been increasingly targeting the gaming industry, including by harvesting and selling access credentials into the internal systems of top-tier game companies.

The firm found almost 1 million compromised accounts belonging to gaming clients and employees of major gaming companies, with half of them ending up for sale on the dark web over the past year.

The criminals’ increased interest in the gaming industry could partly be chalked up to some effects of the COVID-19 pandemic, which has forced most people inside and online for their social activities, including for online gaming. With revenues estimated to reach almost US$200 billion by 2022, it’s no wonder the gaming industry has become a target for cybercriminals.

KELA has been tracking activities on the internet’s seedy underbelly for over two-and-a-half years and found compromised accounts that could provide access to the internal systems of almost every major gaming company. The accounts in question would grant entry to project management software, admin panels, virtual private networks (VPNs), and development-related environments, among others. Threat actors could wreak all manner of havoc, ranging from stealing company secrets, intellectual property and customer data to deploying ransomware on the company’s machines, which could lead to monetary and reputational damage.

Indeed, over the past few months, said KELA, criminals have been observed seeking access into the networks of a number of gaming companies. “We also detected an infected computer (bot) which had credential logs to plenty of sensitive accounts that could be accessed by attackers upon purchase: SSO, Kibana, Jira, adminconnect, service-now, Slack, VPN, password-manager and poweradmin of the company – all on a single bot – which strongly suggests that it’s used by an employee of the company with administrator rights,” according to KELA, adding that the asking price for the bot was less than US$10.

Sadly, as the company also points out, employees remain one of the main points of access, especially due to credentials being leaked through third-party breaches. These types of credentials aren’t often monetized and can be freely found on dark web forums. Part of the problem could be blamed on their penchant for password reuse.

“We found that these credentials also include high-profile email addresses such as senior employees and email addresses which are generally a significant channel in the company – invoice, purchasing, admin, HR-related emails, support, and marketing are only some of the examples we noticed,” states the report.

Cybercriminals could use these accounts to carry out various spearphishing campaigns in the hunt for more valuable credentials, including those that would grant them access to the most sensitive parts of a company’s network. Alternatively, the login data could also be used to carry out Business Email Compromise (BEC) scams and other crimes.

As the gaming industry is steadily becoming a juicier target for criminals, companies would do well to invest in their cybersecurity, especially by providing security awareness training to their employees and raising awareness about the risks they face. Additionally, companies should institute proper password management policies that prevents password recycling and implement multi-factor authentication.

Comments

Comments