As scams, and account takeovers have become a growing industry, credential theft aimed at devoted gamers has reached an all-time high.
Researchers claim that the coronavirus epidemic and social-distancing lockdowns are to blame for the abrupt increase in online game usage, fueling the rise in gaming-related crime.
Scammers commit a variety of crimes using stolen credentials. A well-known cottage industry that can be easily found by searching for “raising and ranking” services is an example of the pervasive issue.
In an interview, Raghib Khan, who is the co-founder of RNF Technologies and Director of Phonato Studios, emphasized how these scammers and fraudsters frequently employ dozens of hijacked accounts that can be set up to consistently lose to a single opponent who has paid a third-party service to boost their game ranking to elite status artificially.
Scammers are more likely to access a game account using stolen credentials and steal the user’s financial information, profile information, and any other valuable virtual goods and currency they may locate. They could also use a victim’s virtual money to purchase rare skins, exclusive weaponry, and special tools in-game, which they would then take.
How Does A Credential Stuffing Attack Work?
An attack that uses stolen credentials consists of three critical steps to be considered a scam, as noted by RNF Technologies’ Raghib Khan:
-
Data Collection
Before performing credential stuffing attacks, scammers first want the raw materials – a list of legitimate emails, usernames, and passwords – to work with. These are most frequently and conveniently obtained on the public or dark web using lists derived from various data breaches. Phishing, malware, or social engineering assaults are used steal credentials.
-
Checking Accounts
Scammers employ credential stuffing tactics to locate the proper combinations and access accounts after obtaining data. They frequently use bots to carry out this at scale: they merely enter the list of stolen credentials into a tool, set up proxies, specify the target, and then sit back and carry out the attacks. At times, even lone fraudsters may be utilized for more subtle attacks.
-
Pay For The Scam
Scammers may steal money or use the account’s information to launch other assaults. Once the proper username-password combinations have been identified using the credential stuffing attack, these scammers can also sell lists of known confirmed credentials. A list of credentials checked against a particular website will be extracted by the attack and sold again on the dark web.
Prevention Techniques To Avoid Credential Stuffing Scams
As highlighted by RNF Technologies’ Raghib Khan, credential stuffing and scamming attacks must be prevented using multiple layers of defenses. The methods listed below can be useful:
- Verification difficulties: CAPTCHA and reCAPTCHA are two common verification hurdles, although powerful bots and farms can frequently crack those barriers. In response, developers have made CAPTCHAs more challenging, irritating users and encouraging abandonment.
- By restricting the number of login requests made in a given time, websites can slow down fast-moving credential stuffing bots and entice them to visit another website.
- Before a user can log in, proof of work (PoW) demands that their device make a computational effort. PoW will use a lot of power and CPU cycles if an attacker does numerous logins concurrently. Cybercriminals are discouraged from carrying out credential stuffing attacks against your website since it becomes expensive for them to do so.
- Keep an eye on compromised credentials: Owners of websites can take advantage of active databases of stolen usernames and passwords used in credential stuffing attacks. Before a scam is committed, this early warning system prevents attackers from logging in using compromised credentials and signals them for mitigating action, including an out-of-band password change.
Conclusion
It’s critical for consumers and game developers to be aware of the most common scams so they can participate in safe betting and gaming. By remembering these and being aware of self-defense techniques, players can also feel more confident that they will have a pleasant experience playing their favorite esports games by being aware of these scams. The users can also use the information provided at Phonato Studios’ Raghib Khan to be aware of more ongoing scams to protect their applications and experiences.
