Irenne Zbarsky, Lead Security Research Analyst, and Itay Kozuch, Director of Research from online security firm IntSights join consultant Peter Taylor to offer thoughts on fraud in the online casino industry, and suggest how operators can combat this increasingly pervasive threat
What is the most common method of defrauding a gaming site?
IntSights: The most common fraud method on gaming sites is carding and identity theft (impersonation); it occurs in every industry, but in gaming and leisure this is the most emergent risk.
Carding is the usage of stolen or fake payment methods while bypassing authentication mechanisms set in place by gaming sites. Hackers share online lists of sites that are “cardable” - meaning sites that when accessed enable purchase using stolen cards to some extent.
Impersonation allows the player to act on behalf of another individual without their consent, usually with stolen accounts. Threat actors would also look for proxy servers using RDPs and SOCKS5 VPN, through which they’d be able to conduct carding and impersonation.
When the impersonation happens with consent (such as in an affiliation scheme), the experienced player uses TeamViewer in order to play on behalf of a newbie - enjoying their privileges and scamming the gaming site in return for profit percentages.
Peter Taylor: A common method is ‘card not present’ fraud by professional hackers. They specialise in using credit card details purchased from the dark web. Committing the fraud is the next stage; the professional fraudster will have an account which they control (usually offshore), and it is often in their name, a family member’s name, or an identity that they use for that site alone.
They will not use that account for a fraud, but use it to feed money into, once they are satisfied that there is sufficient distance between that account and the fraud. Getting the money into that account is a skill of its own. Where an account takeover takes place, the gambling provider will pay the winnings into the dupes account, or only allow it to be drawn into that account. They then move it through several accounts before paying it into their safe account.
How are fraudsters teaming up to attack gaming sites?
IntSights: Fraudsters do their networking in dedicated locations (meeting places) for cyber criminals, and through private encrypted chats. Such places can be encrypted IM platforms, closed haking forums and paste sites, for example. Attackers also use encrypted infrastructure such as Jabber and Teamviewer in order to execute conjoined attacks that include impersonation.
Peter Taylor: The dark web provides an incredible landscape where criminals help each other, and sell information for unlawful purposes. If your company lets a fraudulent transaction through easily, the ‘good news’ is quickly spread to other fraudsters. You can even buy detailed guides on how to commit every type of fraud.
What’s your advice on handling a data breach where customer info has been taken?
IntSights: When a gaming website is breached, it is recommended to identify the amount, size and type of data. Most importantly, the owners should perform a full forensic disclosure including impact analysis, in order to evaluate the type and amount of the damage. It is important to check the source of the leaked data in order to understand if it originates in the admin systems, or from the customer's end. Such data leakage might be due
to malware infection or security faults. There is also a possibility of insiders who sell sensitive data outside the gaming company.
If the data was leaked from the customer side, they might be infected by malware themselves, and it is also important to check whether there is anything in common between them - are they accessing their accounts from mobile services? Are they registered in a specific local branch of the company, or using any specific third-side services? There might also be a campaign targeting the industry customers. When the data was leaked from the website’s admins, it is important to check whether the systems were compromised by malware or phishing, and whether the site had vulnerabilities that allowed this breach to happen.
In any case, it is important to notify customers and employees in order to change their passwords, and payment methods (if possible). Furthermore, allocating resources to check the vulnerabilities and other soft parts of both the website and admin system is very important in order to protect the site from future breaches.
It is also recommended to update and patch all embedded technologies, and to block IOCs of known malware that might allow or enhance the breaches.
Peter Taylor: Depending on your location you must comply with the legal notification requirements. That is certainly the area we most commonly get involved in. You may be able to resolve and retrieve data. If regulators get involved you will be able to show that you have promptly taken steps to prevent any further breaches, and that you take the matter seriously. This may also help to minimise or prevent any fines being applied by the regulator.
How should a gaming company respond when they find out a player’s credentials are being used by a fraudster?
IntSights: Gaming sites can use various systems to assess the behaviour of returning gamers and build their gaming profiles. Then, they can detect anomalies in the player’s behaviour, and if it significantly differentiates from the original profile related to the used credentials, the systems can alert that the credentials, or a payment method, might be stolen.
Gaming companies can also use monitoring platforms using tailor-made intelligence in order to know in advance whether data and credentials were stolen or leaked, whether payment methods are stolen or fake, and when this happened.
Peter Taylor: The science is available to confirm that the person placing the bets is using the same email address, internet provider, device and location usually used by the customer. This is getting a little harder with the increase in use of mobile phones compared to personal computers, however, someone living in Birmingham placing a bet on Tuesday is unlikely to place a bet from Moldova on Wednesday morning and Lithuania at lunchtime.
If there is doubt, don’t pay out. Contact the customer and ask for confirmation of ID and a question from their registration or bet history to confirm they are who they say they are. That will put most fraudsters off. You might get the added complication then of a customer who hasn’t
placed a bet wanting the winnings.
What can we learn from fraud committed in other online industries?
IntSights: Whenever an online company possesses a valuable asset, it can be potentially stolen, exploited or compromised. In the online gaming industry the valuable assets are payment data, in the healthcare industry it is medical data. It is important to follow up on all major attacks in online industries, because most of them can be replicated using the same tools, schemes and social engineering techniques.
Peter Taylor: Once a vulnerable payment system has been found it is widely circulated via the dark web or other channels. It’s a bit like the guy who finds an ATM is issuing £20 notes instead of £10 notes who phones all his friends. The only advantage you have is that if you quickly identify the problem, the same channels promptly inform fraudsters that you are now off-limits. MI with the right metrics is key to this. You really don’t want a card provider telling you that you had huge volumes of fraud last month. You need to spot it yourself. Alternatively, get ready
for those charge backs.
Fraudsters often identify targets within an organisation in order to gain access to networks, how can gaming companies defend themselves against this?
Insights: Fraudsters indeed target employees, usually by using phishing methods and infecting the whole organisational network via one or more employees that opened a malicious email. It is usually done by registering a domain that is very similar to the company’s original domain, thus confusing the employee into thinking that the malicious mail was sent by a colleague.
Once opening the email and/ or the attached file, malware penetrates the system and can spy, steal, control or damage sensitive data and commands in the organisational network.
There are several ways to protect the organisation from this threat: Technical and social.
Technically, this threat can be prevented by monitoring the potential phishing domain upon its registration, and blocking it in advance in the company’s mail gateway or firewall. Also,in clear cases of phishing attempts, you can ask the authorities to remove the existing fake domain.
Socially, it is crucial to raise the employees’ awareness regarding the threat in subject and train them to work securely with their emails and workplace accounts. They should never click on suspicious emails, and they should inform the IT team immediately about them. Employees should never use an unfamiliar removable media (USB / CD) and never update programs from an unauthorised website. The management, IT and HR teams should be aware of the potential threats, and pass this on to the rest of the employees as well.
Peter Taylor: Why hack when an insider can give you the information? It is far cheaper, far easier, and harder to detect. Have you got a whistleblower system that works, or just looks nice if the regulator looks at it? Are your people wise to the fact that they may be approached? Do they have their occupation on their Facebook account? Do your management know how to spot an employee having difficulties or behaving differently? These are important questions you need to be asking to avoid the threat of inside actors jeopardising your security.