The 24/7-nature of online gambling and a reliance on reoccurring high-profile sporting events for spikes in revue make operators’ websites a prime target for malicious hackers and other cyber criminals. A favoured and highly effective attack continues to be the distributed denial of service (DDoS), whereby botnets are deployed to bombard websites with illegitimate traffic, creating debilitating outages as the servers and bandwidth buckle under the strain. Attacks can last hours, days or weeks, and often ransom notes attached by nefarious perpetrators out to land a big payday through this form of modern-day extortion. It’s big business and a persistent threat to operators.
Just this July, at least four of New Jersey’s 16 online casino sites were paralysed for around half an hour by a DDoS attack. A ransom demand for an undisclosed sum in Bitcoin was made along with a threat of a more serious, follow-up attack unless the payment was forthcoming. As it turned out, the threat of a further hit never materialised. Besides the beefed up security put in place, one reason could be that the attacker got cold feet after New Jersey’s Division of Gaming Enforcement director, David Rebuck, informed the media that the authorities were pursuing a “known actor” who had “done this before”.
The strike was a stark warning for the Garden State’s regulated online gaming industry, which went live almost two years ago. Namely that this fledgling market is on the radar of DDoS attackers. “Online casinos need to be worried because that is where the money is, so they will be targets for certain types of hacks and threats,” says Bill Hughes Jr, a partner at law firm Cooper Levenson and an expert in cyber liability and cyber risk management. “When asked why he robbed banks, Willie Sutton said ‘because that is where the money is’. Gaming sites are targeted because they are dealing with a large amount of transactions and there are so many ingenious ways for hackers to get in there and do it.”
Online casinos need to be worried because that is where the money is, so they will be targets for certain types of hacks and threatsYet this form of blackmail is nothing new. As far back as 2004, up to 20 UK-facing online bookmakers were the victims of sustained DDoS assaults with ransoms attached, causing each company around three-dozen outages. Since then countless i-gaming operators have been hit multiple times. It’s an omnipresent threat that all e-commerce businesses have to be wary of and one that shows little sign of abating. If anything, it’s intensifying. DDoS protection specialist Neustar recently surveyed nearly 800 executives and professionals from four continents and found that half of businesses quizzed had suffered a DDoS attack in 2014 and early 2015. In fact, 54% of firms had been struck on at least six occasions.
“DDOS attacks indeed pose a serious threat,” says Christos Dimitriadis, group director of information security at Intralot and international president of information security association ISACA. “It can cause direct financial impact, defamation and customer dissatisfaction, as well as legal and compliance related impact if service level agreements and contractual obligations are breached.”
He adds: “In order to understand the reason behind DDoS attacks, one has to study the motive and classify them. There are attacks that can be initiated – for demanding ransom, for being paid for hurting the reputation of a company, for ‘hactivism’, or just for proving that they can be done, among other reasons.” Indeed, an ISACA and RSA survey published this year assigned cyber threat actors to six categories: cybercriminals, hackers, ‘hacktivists’, nations, malicious insiders and non-malicious insiders. “Each one has its own motives,” says Dimitriadis, “from financial gain to stealing secrets, causing disruption of service, stealing personal information or making a statement to the public.”
Dimitriadis, who has been entrenched in information security for over 14 years, suggests costs attributed a DDoS incident can range from $40,000 per hour to hundreds of thousands if the attack is persistent. For online bookmakers, the most potentially damaging attacks coincide with marquee sporting events. For instance, last April, around the weekend of the Grand National, Betfair acknowledged via a Tweet that the site was experiencing a DDoS attack and that it was blocking all site traffic. As well as the immediate financial impact of lost business, it damages the operator’s reputation and could cost it future business as customers go elsewhere. And if a Google crawler happens to be passing when the site is offline it can have a detrimental effect on SEO and page ranking.
The attackers can be situated anywhere in the world and armed with just a laptop, internet connection and easily obtainable software. Nevertheless, their actions can still be paralysing. A DDoS attack on Betat Casino earlier this year in which a ransom of 10 Bitcoin (worth around $2,200 at the time) was demanded, resulted in the casino being hit with a hefty 45Gbps of nuisance traffic, a representative subsequently revealed on a forum. According to Neuster, around 40% of DDoS attacks are less than 5Gbps. And, as in the Betat Casino case, demanding a ransom payment in a decentralised cryto-currency like Bitcoin – the preferred method for anonymous transactions on the dark web – adds layers of opaqueness if the blackmail bears fruit.
Jagdeep Bains, CTO of internet security firm DOSarrest, says no website is ever “bulletproof’” and confirms that attacks, whether they be politically or commercially motivated, or launched solely to cause disruption, have become noticeably more sophisticated. “Today’s DDoS attacker is smarter than before and he does his reconnaissance on a website. He sees what CMS platform it is, be it WordPress, Joomia or so forth, and runs a DDoS with one or a few servers that hits a website 20 times with a login script so that the backend database gets exhausted and drops, making the whole site useless. Also, the sites are getting more complex, which creates more opportunities for would-be attackers to stealthily bring a site to its knees.”
He also raises the prospect of online operators attacking other online operators. “If you can get away with it can cause your competitor’s site to go down then all’s fair in love and war. It’s never been proven but I would I guess there is competitive attacks, especially in the casino arena.” What is known for sure is that there are cells of DDoS mercenaries available for hire from countries like Russia and Romania, Bains adds. “It’s international trade under the table, and they have surrounded themselves with enough profit that they have pretty much become untouchable.”
The New Jersey attack was monetary-driven, it was about extorting money. Sands was ideological and a state-sponsored direct attack on Sheldon AdelsonFurthermore, low barriers to entry and the potentially lucrative payoffs are inspiring more people to take up this form of web extortion. “Entry to DDoS is getting quite easy and accessible,” he explains. “You can download public tools for free and run them on fairly inexpensive hardware and software, especially through the cloud platforms from various hosting companies. Everybody and their dog are getting into DDoS because they know how easy it is to get into and how disruptive it can be.”
Of course, it’s not just DDoS attacks that operators have to be wary of. And land-based companies can just as easily end up in the crosshairs of malicious hackers. This was demonstrated last year when Las Vegas Sands, which counts the Venetian and the Palazzo casinos among its portfolio, sustained a huge cyber attack whereby PCs and servers shut down, email and phones stopped functioning and some hard drives were wiped clean. It later transpired that the disabling strike was orchestrated by Iranian hackers with an axe to grind with LVS’ outspoken majority owner, Sheldon Adelson. The billionaire casino magnate, who is Jewish, has never hidden his support of Israel, yet this proved to be a devastating attack on a prominent US corporation.
Despite them targeting the gaming sector, Hughes describes the New Jersey DDoS assault and the LVS hack as akin to “comparing apples with oranges”. “The New Jersey attack was monetary-driven, it was about extorting money. Sands was ideological and a state-sponsored direct attack on Sheldon Adelson.” Hughes believes the motive for many hackers is about the cachet of breaching companies’ defences and garnering respect among their peers. “It [LVS attack] gave them notoriety and bragging rights. Much of hacking has had its origin in bragging rights and being able to penetrate the impenetrable system. It was only recently that you could make a boatload of money from this.”
Hacking against US companies has grabbed the headlines in the past 12 months. The biggest blitz was against Sony Pictures by the “Guardians of Peace” in which data, including employee emails, salaries and other personal information, was stolen and leaked online. It’s claimed this amounted to 100TB of data. And in July of this year hackers also disseminated 25GB of personal information belonging to registered users of the controversial extramarital affair site Ashley Madison.
The damage from data breaches of this magnitude can sometimes prove almost impossible to repair as customer loyalty is permanently eroded. Worryingly, Bains says every online organisation is potential prey to malicious hackers and DDoS attackers. “If you have any kind of public exposure then you are vulnerable.” And Dimitriadis warns: “It is evident that as information technology enables the business more and more, cyber security becomes a top priority that should be embedded in the overall business strategy.” Gambling operators – if they didn’t know it already – ignore this advice at their peril.