× Gambling News In-Depth iGaming Calendar Connections GI Friday Trafficology GI Magazine
GGA 2019 AffiliateCon
IN-DEPTH 5 January 2016
Gone Phishing
This summer’s hacker attack on New Jersey’s online gambling industry once again highlighted the crippling and costly cyber threats operators face. Julian Rogers reports on why the sector is such an attractive target and why this problem shows little sign of subsiding
By Julian Rogers

The 24/7-nature of online gambling and a reliance on reoccurring high-profile sporting events for spikes in revue make operators’ websites a prime target for malicious hackers and other cyber criminals. A favoured and highly effective attack continues to be the distributed denial of service (DDoS), whereby botnets are deployed to bombard websites with illegitimate traffic, creating debilitating outages as the servers and bandwidth buckle under the strain. Attacks can last hours, days or weeks, and often ransom notes attached by nefarious perpetrators out to land a big payday through this form of modern-day extortion. It’s big business and a persistent threat to operators.

Just this July, at least four of New Jersey’s 16 online casino sites were paralysed for around half an hour by a DDoS attack. A ransom demand for an undisclosed sum in Bitcoin was made along with a threat of a more serious, follow-up attack unless the payment was forthcoming. As it turned out, the threat of a further hit never materialised. Besides the beefed up security put in place, one reason could be that the attacker got cold feet after New Jersey’s Division of Gaming Enforcement director, David Rebuck, informed the media that the authorities were pursuing a “known actor” who had “done this before”.

The strike was a stark warning for the Garden State’s regulated online gaming industry, which went live almost two years ago. Namely that this fledgling market is on the radar of DDoS attackers. “Online casinos need to be worried because that is where the money is, so they will be targets for certain types of hacks and threats,” says Bill Hughes Jr, a partner at law firm Cooper Levenson and an expert in cyber liability and cyber risk management. “When asked why he robbed banks, Willie Sutton said ‘because that is where the money is’. Gaming sites are targeted because they are dealing with a large amount of transactions and there are so many ingenious ways for hackers to get in there and do it.”

Online casinos need to be worried because that is where the money is, so they will be targets for certain types of hacks and threats
Yet this form of blackmail is nothing new. As far back as 2004, up to 20 UK-facing online bookmakers were the victims of sustained DDoS assaults with ransoms attached, causing each company around three-dozen outages. Since then countless i-gaming operators have been hit multiple times. It’s an omnipresent threat that all e-commerce businesses have to be wary of and one that shows little sign of abating. If anything, it’s intensifying. DDoS protection specialist Neustar recently surveyed nearly 800 executives and professionals from four continents and found that half of businesses quizzed had suffered a DDoS attack in 2014 and early 2015. In fact, 54% of firms had been struck on at least six occasions.

“DDOS attacks indeed pose a serious threat,” says Christos Dimitriadis, group director of information security at Intralot and international president of information security association ISACA. “It can cause direct financial impact, defamation and customer dissatisfaction, as well as legal and compliance related impact if service level agreements and contractual obligations are breached.”

He adds: “In order to understand the reason behind DDoS attacks, one has to study the motive and classify them. There are attacks that can be initiated – for demanding ransom, for being paid for hurting the reputation of a company, for ‘hactivism’, or just for proving that they can be done, among other reasons.” Indeed, an ISACA and RSA survey published this year assigned cyber threat actors to six categories: cybercriminals, hackers, ‘hacktivists’, nations, malicious insiders and non-malicious insiders. “Each one has its own motives,” says Dimitriadis, “from financial gain to stealing secrets, causing disruption of service, stealing personal information or making a statement to the public.”

Dimitriadis, who has been entrenched in information security for over 14 years, suggests costs attributed a DDoS incident can range from $40,000 per hour to hundreds of thousands if the attack is persistent. For online bookmakers, the most potentially damaging attacks coincide with marquee sporting events. For instance, last April, around the weekend of the Grand National, Betfair acknowledged via a Tweet that the site was experiencing a DDoS attack and that it was blocking all site traffic. As well as the immediate financial impact of lost business, it damages the operator’s reputation and could cost it future business as customers go elsewhere. And if a Google crawler happens to be passing when the site is offline it can have a detrimental effect on SEO and page ranking.

The attackers can be situated anywhere in the world and armed with just a laptop, internet connection and easily obtainable software. Nevertheless, their actions can still be paralysing. A DDoS attack on Betat Casino earlier this year in which a ransom of 10 Bitcoin (worth around $2,200 at the time) was demanded, resulted in the casino being hit with a hefty 45Gbps of nuisance traffic, a representative subsequently revealed on a forum. According to Neuster, around 40% of DDoS attacks are less than 5Gbps. And, as in the Betat Casino case, demanding a ransom payment in a decentralised cryto-currency like Bitcoin – the preferred method for anonymous transactions on the dark web – adds layers of opaqueness if the blackmail bears fruit.

Jagdeep Bains, CTO of internet security firm DOSarrest, says no website is ever “bulletproof’” and confirms that attacks, whether they be politically or commercially motivated, or launched solely to cause disruption, have become noticeably more sophisticated. “Today’s DDoS attacker is smarter than before and he does his reconnaissance on a website. He sees what CMS platform it is, be it WordPress, Joomia or so forth, and runs a DDoS with one or a few servers that hits a website 20 times with a login script so that the backend database gets exhausted and drops, making the whole site useless. Also, the sites are getting more complex, which creates more opportunities for would-be attackers to stealthily bring a site to its knees.”

He also raises the prospect of online operators attacking other online operators. “If you can get away with it can cause your competitor’s site to go down then all’s fair in love and war. It’s never been proven but I would I guess there is competitive attacks, especially in the casino arena.” What is known for sure is that there are cells of DDoS mercenaries available for hire from countries like Russia and Romania, Bains adds. “It’s international trade under the table, and they have surrounded themselves with enough profit that they have pretty much become untouchable.”

The New Jersey attack was monetary-driven, it was about extorting money. Sands was ideological and a state-sponsored direct attack on Sheldon Adelson
Furthermore, low barriers to entry and the potentially lucrative payoffs are inspiring more people to take up this form of web extortion. “Entry to DDoS is getting quite easy and accessible,” he explains. “You can download public tools for free and run them on fairly inexpensive hardware and software, especially through the cloud platforms from various hosting companies. Everybody and their dog are getting into DDoS because they know how easy it is to get into and how disruptive it can be.”

Of course, it’s not just DDoS attacks that operators have to be wary of. And land-based companies can just as easily end up in the crosshairs of malicious hackers. This was demonstrated last year when Las Vegas Sands, which counts the Venetian and the Palazzo casinos among its portfolio, sustained a huge cyber attack whereby PCs and servers shut down, email and phones stopped functioning and some hard drives were wiped clean. It later transpired that the disabling strike was orchestrated by Iranian hackers with an axe to grind with LVS’ outspoken majority owner, Sheldon Adelson. The billionaire casino magnate, who is Jewish, has never hidden his support of Israel, yet this proved to be a devastating attack on a prominent US corporation.

Despite them targeting the gaming sector, Hughes describes the New Jersey DDoS assault and the LVS hack as akin to “comparing apples with oranges”. “The New Jersey attack was monetary-driven, it was about extorting money. Sands was ideological and a state-sponsored direct attack on Sheldon Adelson.” Hughes believes the motive for many hackers is about the cachet of breaching companies’ defences and garnering respect among their peers. “It [LVS attack] gave them notoriety and bragging rights. Much of hacking has had its origin in bragging rights and being able to penetrate the impenetrable system. It was only recently that you could make a boatload of money from this.”

Hacking against US companies has grabbed the headlines in the past 12 months. The biggest blitz was against Sony Pictures by the “Guardians of Peace” in which data, including employee emails, salaries and other personal information, was stolen and leaked online. It’s claimed this amounted to 100TB of data. And in July of this year hackers also disseminated 25GB of personal information belonging to registered users of the controversial extramarital affair site Ashley Madison.

The damage from data breaches of this magnitude can sometimes prove almost impossible to repair as customer loyalty is permanently eroded. Worryingly, Bains says every online organisation is potential prey to malicious hackers and DDoS attackers. “If you have any kind of public exposure then you are vulnerable.” And Dimitriadis warns: “It is evident that as information technology enables the business more and more, cyber security becomes a top priority that should be embedded in the overall business strategy.” Gambling operators – if they didn’t know it already – ignore this advice at their peril.
IN-DEPTH 16 August 2019
Roundtable: David vs Goliath – Can startups really disrupt the industry?

(AL) Alexander Levchenko – CEO, Evoplay Entertainment

Alexander Levchenko is CEO of innovative game development studio Evoplay Entertainment. He has overseen the rapid expansion of the company since it was founded in early 2017 with the vision of revolutionising the player experience.

(RL) Ruben Loeches – CMO, R Franco

Rubén Loeches is CMO at R. Franco Group, Spain’s most established multinational gaming supplier and solutions provider. With over 10 years working in the gambling, betting and online gaming industries, he is skilled in operations management and marketing strategy.

(JB) Julian Buhagiar – Co-Founder, RB Capital:

Julian Buhagiar is an investor, CEO & board director to multiple ventures in gaming, fintech & media markets. He has lead investments, M & As and exits to date in excess of $370m.

(DM) Dominic Mansour – CEO, Bragg Gaming Group:

Dominic Mansour has an extensive background of nearly 20 years in the gaming and lottery industry. He has a deep understanding of the lottery secto,r having been CEO at the UK-based Health Lottery, as well as building bingos.com from scratch, which he sold to NetPlay TV plc.

What does it take for a startup to make waves in gaming?

DM: On the one hand, it’s a bit like brand marketing; you build an identity, a reputation and a strategy. When you know what you stand for, you then do your best to get heard. That doesn’t necessarily require a TV commercial but ensuring whatever you do stands out from the crowd. Then you have to get out there and talk to people about it. 

AL: Being better than the competition is no longer enough; if you’re small, new and want to make a difference – you have to turn the industry on its head. Those looking to make waves need to come up with a new concept or a ground-breaking solution. Take Elon Musk, he didn’t found Tesla to improve the existing electric cars on the market, he founded it to create the industry’s first mass-market electric sports car. It’s the same for online gaming; if you want to make waves as a startup, you have to bring something revolutionary to the table.

JB: Unique IP is key, particularly in emerging (non-EU) markets. As does the ability to release products on time, with minimal downtime and/or turnaround time when issues inevitably occur. A good salesforce capable of rapidly striking partnerships with the right players is vital, as is not getting bogged down too early on in legal, operational and admin red tape.

How easy it for startups to bring their ideas to life? How do they attract capital?

AL: It depends on the people and ideas behind the startup. Of course – the wave of ‘unicorns’ is not what it used to be. Some time ago the hype was a lot greater in terms of investing in startups, but that’s changed now. Investors now want more detail – and even more importantly, to evaluate whether the startup has the capacity (as well as the vision) to solve the problem it set out to address. That’s not to say investors are no longer interested in startups – they certainly are – but now more than ever, it’s important for startups to understand their audience as well as dreaming big.

JB: To get to market quickly, you need a great but small, team. If slots or sportsbook, the mathematical engine and UX/UI are crucial. Having a lean, agile dev team that can rapidly turn wire framing and mathematical logic into product is essential. Paying more for the right team is sometimes necessary, especially when good resources are scarce (here’s looking at you, Malta and Gibraltar).

Building capital is a different beast altogether. You won’t be able to secure any funding until you have a working proof of concept and, even then, capital is likely to be drip fed. Be prepared to get a family and friends round early on to deliver a ‘kick-ass’ demo, then start looking at early-stage VCs that specialise in growth-stage assets.

How do you react when you see startups coming in with their plan for disruption?

RL: We welcome the innovation and fresh thinking startups bring. This is particularly the case in Latin America, with a market still in its infancy. One area we’d especially like to see startups making waves is in the slot development sector. Latin America is a young market that needs local innovation suited to its unique conditions – especially in regard to mobile gaming.

Operators eyeing the market have Europe‐focused core products, which creates a struggle to work to the requirements of players and regulators. To succeed there, it has become more important than ever to work with those with a knowhow of the local area to adapt products and games to besuitable from the off; we welcome the chance for local talent to develop and grow.

Do you think it’s easier for established companies to innovate and establish new ideas? 

AL: From a financial perspective, yes. It is without a doubt easier for incumbent companies to establish a pipeline of innovation via their R & D departments, as well as having the tools to hand for data gathering and analysis.

But it stops there. Startups hold court in every other way. Not only are they flexible, they can easily switch from one idea to another, change strategy instantly as the market demands and easily move team members around. Established companies know this – and this is why we’re seeing an emerging trend for established companies to acquire small, innovative online gaming start-ups. They have the right resources and unique ideas, as well as the ability to bring a fresh approach to businesses’ thinking.

RL: For me, it’s always going to be established companies. Only with the resources, industry experience and know‐how can a company apply technology and services that truly make a difference. Of course there are exceptions. But when it comes to providing a platform that can be approved by regulators across multiple markets – as well as suiting an operators’ multiple jurisdictions – it is simply impossible for a couple of young bright minds with a few million behind them to get this done.

DM: I actually think it’s harder for established companies. It’s key to differentiate between having a good idea and executing one. That’s where the big corporates struggle most. They’re full of amazing people with all sorts of great ideas but getting them through systems and processes is nearly impossible.

Is it essential to patent-protect innovative products?

AL: It’s a very interesting subject. If we take IT for example – patents can actually become a block to the evolutionary process within the industry. Of course, getting a patent future proofs yourself from the competition copying your concept but, having said that, if you’re looking to protect yourself from someone more creative, smarter and agile, you’ve probably lost the battle already!

In our industry everything is moving faster and research takes less time than the development itself. No matter how good you are at copy pasting, you can’t copy Google or Netflix. The most important thing is not the tech itself but rather its ‘use-case’ – or in other words, does it solve what it’s meant to solve? Competition is healthy and the key to innovation. If you spend your whole time looking behind you, you’ll never be able move forwards.

JB: Tricky question, and one that depends on what and where you launch this IP. It can be difficult to patent mathematical engines and logic, mostly because they’re re-treading prior art. Branding, artwork and UX is more important and can easily be copied, but the territories you launch will determine how protectable your IP will be once patented. US/EU/Japan is easy but expensive to protect in. But China/South East Asia is a nightmare to cover adequately. Specialised patent lawyers with experience in software, and ideally gaming, can help you better.