Pricing
Contact
Login
Start Free Trial
Back

Online Casino Heist Shreds Confidence in Cybersecurity

Nov 30, 2022

Nature abhors a vacuum, and so do cybercriminals. Whenever a new corner of the digital economy emerges, hackers are swift to infiltrate and exploit it to the fullest extent possible. It’s a law of digital life by now. To see it validated once again, just look at what happened to DraftKings last week.


Users of the popular sport-betting app found themselves locked out of their accounts. Upon getting back in, some found that funds had been drained away, totaling $300,000 across all those affected.


This is hardly the biggest hack of late, nor is it the first time that an online sportsbook has been a target. It won’t be the last time, either. In fact, FanDuel, a competing sportsbook, has also reported increased malicious activity though no confirmed attacks. More likely this is an early instance of what will be a long, sustained wave of attacks on online gambling.


Why? For the simple reason that huge (and fast-growing) sums of money slosh around in online gambling accounts – sports books recorded $3 billion in revenue through the first half of 2022, shattering previous records. Highly lucrative, these accounts are also highly vulnerable because people have yet to appreciate the risks of these accounts and take even basic cybersecurity measures. Hackers saw a vacuum waiting to be filled, and it just happened to have a pile of gold sitting inside.


Attacks like the one on DraftKings should surprise no one. Regardless, that particular attack has lessons – for both gamblers and casinos - that could keep this problem from getting much worse.


Online Gambling – Doubling Down on Risk


Criminals go where the money is located. So it’s predictable that casinos, race tracks, and betting parlors have been frequent targets for criminal activity since their inception. Not only do these locations have piles of cash on hand, but it also moves around faster and more freely than it does somewhere like a bank. Also unlike financial institutions, security standards and regulatory requirements are less strict around gambling (especially at underground operations). For all these reasons, anywhere that gamblers congregate looks like a prime candidate for theft.


Online operations are no different; they are a low-risk, high-value target. Except in the case of companies like DraftKings, both those factors are taken to the extreme. Gambling in online spaces lets more people and money collect in one place than any building could ever accommodate. The potential payout of a successful attack is much larger. At the same time, the number of ways to steal online gambling proceeds far exceeds the ways to steal real money. One takes an off-the-shelf cyber attack – the other takes Ocean’s Eleven.


The DraftKings attack is unfortunately a perfect example of the unique cyber risks accompanying online gambling. The perpetrators managed to access people’s accounts using credential stuffing: they used known user names and password combinations – either purchased from the dark web or stolen during a separate attack – to see which ones granted access to DraftKings accounts. Once inside, it was simple to change the bank account information and drain the funds. This means some online gamblers are using the same username/password they use for Amazon or Netflix. Most gamblers are protective of their stakes. That same caution has migrated online yet, and neither have the robust cybersecurity standards we are used to with other kinds of online transactions – DraftKings does not require MFA, for example, which would have prevented this attack.


Some of these problems will be resolved as online gambling matures. But during that same period, cyber attacks will mature as well, and hackers won’t quickly retreat from such a lucrative target. As the money flowing into sites like DraftKings keeps skyrocketing, expect the scale and audacity of attacks to do the same.


Seeing the Bigger Problem


The problems facing online gambling are similar to those facing another industry: crypto. Attacks on crypto exchanges and wallets have repeatedly made headlines, led to billions in losses, and shown all indications of getting worse. The reason why, like online gambling, is lots of money collected in one place – or flying around anonymously – without strong (or even basic) security protections in place.


This strikes me as indicative of a larger problem affecting most aspects of our expanding digital lives, which is a failure to realistically anticipate risks and plan for cyber attacks. With the DraftKings hack and so many of the crypto examples, the level of caution and preparation – on the part of both users and developers – was severely out of step with the risk. To put it differently, we wandered obliviously into the jaws of a tiger. Worst of all, we already knew the tiger was there.


I don’t blame users for recycling their passwords or even blame DraftKings for making MFA optional. The real culprit is a culture that’s still lax on cybersecurity and content to fix problems after the fact. Anyone could have predicted that online gambling accounts or wallets full of digital currency would attract an immediate and aggressive onslaught from hackers. But could anyone explain why security around those targets started off (and still remains) so over-matched?


The answer is complicated, no doubt. And I don’t claim to have the whole thing. What I do know is that if hackers are waltzing into obviously sensitive accounts and making off with huge sums, cybersecurity has some serious ground to make up.

#cybersecurity #DraftKings #gambling #credentialstuffing #crypto








Tags

  • #cybersecurity

  • #vicarius_blog

  • #crypto

  • #DraftKings

  • #gambling

  • #credentialstuffing

users/photos/cl63q9kls03si09n2e51cdpu2.jpeg

Written by

Paul Lighter

Recent Posts

  • 1

    CVE-2023–23752: Joomla Unauthorized Access Vulnerability

    Mohammad Hussam Alzeyyat March 24, 2023
  • 2

    Apache Zero Days - Apache Spark Command Injection Vulnerability (CVE-2022-33891)

    Mudassar Zafar March 22, 2023
  • 3

    CVE-2022-44666: Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape vulnerability

    j00sean (https://twitter.com/j00sean) March 01, 2023
  • 4

    KeePass Passwords Theft CVE-2023-240550

    Youssef Muhammad March 01, 2023
  • 5

    CVE-2022–44267: Denial Of Service in ImageMagick

    Mohammad Hussam Alzeyyat February 28, 2023

Related Posts

By Mohammad Hussam Alzeyyat
Mar 24, 2023

CVE-2023–23752: Joomla Unauthorized Access Vulnerability

In this blog, we are going to analyze the information disclosure in Joomla that allows an attacker to exploit it to gain unauthorized access. we will dive deep inside the flow of Joomla, how it works, and how the vulnerability happened.
By Mudassar Zafar
Mar 22, 2023

Apache Zero Days - Apache Spark Command Injection Vulnerability (CVE-2022-33891)

The Apache Spark command injection vulnerability (CVE-2022-33891) was discovered by the Sangfor FarSight Labs team and reported to the Apache Spark project team on July 18, 2022. The vulnerability was classified as high severity, with a CVSS (Common Vulnerability Scaling System) Base Score of 8.8, indicating a high potential impact.
By j00sean (https://twitter.com/j00sean)
Mar 01, 2023

CVE-2022-44666: Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape vulnerability

My thoughts and more on this bug!
last_chanse_04.png

Start Closing Security Gaps

  • Risk reduction from Day 1
  • Fast set-up and deployment
  • Unified platform
  • Full-featured 14-day trial
Get a Demo
Start Free Trial!

Have questions?

By submitting this form, you agree to be contacted about TOPIA and other Vicarius products.

Vicarius develops an autonomous vulnerability remediation platform to help security teams protect their assets against software exploitation. Consolidating vulnerability assessment, prioritization, and remediation, Vicarius strengthens cyber hygiene and proactively reduces risk.
We're hiring!

Support

support@vicarius.io

Sales

sales@vicarius.io

Marketing

info@vicarius.io
Product
Product Overview
Vulnerability Management
Patch Management
Patchless Protection
Auto Actions
Network Scanner
xTags
0-Day Detection
Solution
Solution Overview
Case Studies
Knowledge
Research Center
Apps & OS Patch Catalog
Videos
Articles
Docs
Company
About
Investors
Partners
Trust
Careers
Pricing
Pricing
Compare
TOPIA vs. Automox
TOPIA vs. ManageEngine
TOPIA vs. Rapid7
TOPIA vs. Tenable
TOPIA vs. Tanium
TOPIA vs. RMMs
TOPIA vs. Vulcan
TOPIA vs. PDQ
TOPIA vs. Qualys

Copyright © Vicarius. All rights reserved 2022. Privacy Policy and Terms of Use