Nov 30, 2022
Nature abhors a vacuum, and so do cybercriminals. Whenever a new corner of the digital economy emerges, hackers are swift to infiltrate and exploit it to the fullest extent possible. It’s a law of digital life by now. To see it validated once again, just look at what happened to DraftKings last week.
Users of the popular sport-betting app found themselves locked out of their accounts. Upon getting back in, some found that funds had been drained away, totaling $300,000 across all those affected.
This is hardly the biggest hack of late, nor is it the first time that an online sportsbook has been a target. It won’t be the last time, either. In fact, FanDuel, a competing sportsbook, has also reported increased malicious activity though no confirmed attacks. More likely this is an early instance of what will be a long, sustained wave of attacks on online gambling.
Why? For the simple reason that huge (and fast-growing) sums of money slosh around in online gambling accounts – sports books recorded $3 billion in revenue through the first half of 2022, shattering previous records. Highly lucrative, these accounts are also highly vulnerable because people have yet to appreciate the risks of these accounts and take even basic cybersecurity measures. Hackers saw a vacuum waiting to be filled, and it just happened to have a pile of gold sitting inside.
Attacks like the one on DraftKings should surprise no one. Regardless, that particular attack has lessons – for both gamblers and casinos - that could keep this problem from getting much worse.
Online Gambling – Doubling Down on Risk
Criminals go where the money is located. So it’s predictable that casinos, race tracks, and betting parlors have been frequent targets for criminal activity since their inception. Not only do these locations have piles of cash on hand, but it also moves around faster and more freely than it does somewhere like a bank. Also unlike financial institutions, security standards and regulatory requirements are less strict around gambling (especially at underground operations). For all these reasons, anywhere that gamblers congregate looks like a prime candidate for theft.
Online operations are no different; they are a low-risk, high-value target. Except in the case of companies like DraftKings, both those factors are taken to the extreme. Gambling in online spaces lets more people and money collect in one place than any building could ever accommodate. The potential payout of a successful attack is much larger. At the same time, the number of ways to steal online gambling proceeds far exceeds the ways to steal real money. One takes an off-the-shelf cyber attack – the other takes Ocean’s Eleven.
The DraftKings attack is unfortunately a perfect example of the unique cyber risks accompanying online gambling. The perpetrators managed to access people’s accounts using credential stuffing: they used known user names and password combinations – either purchased from the dark web or stolen during a separate attack – to see which ones granted access to DraftKings accounts. Once inside, it was simple to change the bank account information and drain the funds. This means some online gamblers are using the same username/password they use for Amazon or Netflix. Most gamblers are protective of their stakes. That same caution has migrated online yet, and neither have the robust cybersecurity standards we are used to with other kinds of online transactions – DraftKings does not require MFA, for example, which would have prevented this attack.
Some of these problems will be resolved as online gambling matures. But during that same period, cyber attacks will mature as well, and hackers won’t quickly retreat from such a lucrative target. As the money flowing into sites like DraftKings keeps skyrocketing, expect the scale and audacity of attacks to do the same.
Seeing the Bigger Problem
The problems facing online gambling are similar to those facing another industry: crypto. Attacks on crypto exchanges and wallets have repeatedly made headlines, led to billions in losses, and shown all indications of getting worse. The reason why, like online gambling, is lots of money collected in one place – or flying around anonymously – without strong (or even basic) security protections in place.
This strikes me as indicative of a larger problem affecting most aspects of our expanding digital lives, which is a failure to realistically anticipate risks and plan for cyber attacks. With the DraftKings hack and so many of the crypto examples, the level of caution and preparation – on the part of both users and developers – was severely out of step with the risk. To put it differently, we wandered obliviously into the jaws of a tiger. Worst of all, we already knew the tiger was there.
I don’t blame users for recycling their passwords or even blame DraftKings for making MFA optional. The real culprit is a culture that’s still lax on cybersecurity and content to fix problems after the fact. Anyone could have predicted that online gambling accounts or wallets full of digital currency would attract an immediate and aggressive onslaught from hackers. But could anyone explain why security around those targets started off (and still remains) so over-matched?
The answer is complicated, no doubt. And I don’t claim to have the whole thing. What I do know is that if hackers are waltzing into obviously sensitive accounts and making off with huge sums, cybersecurity has some serious ground to make up.
#cybersecurity #DraftKings #gambling #credentialstuffing #crypto
Hackers recently swiped $300,000 from DraftKings accounts - and it was almost effortless. This attack will likely be forgotten by history. But it should be a wake-up call instead.
Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape vulnerability (CVE-2022-44666) (0day)j00sean (https://twitter.com/j00sean) July 11, 2023
CVE-2021-38294: Apache Storm Nimbus Command InjectionZeyad Abdelazim June 20, 2023
CVE-2023-21931 & CVE-2023-21839 RCE via post-deserializationMohammad Hussam Alzeyyat June 19, 2023
Have you missed them? The new reports feature is here!Noa Machter May 14, 2023
CVE-2021-45456 Apache Kylin RCE ExploitMohammad Hussam Alzeyyat April 30, 2023