Nov 30, 2022
Nature abhors a vacuum, and so do cybercriminals. Whenever a new corner of the digital economy emerges, hackers are swift to infiltrate and exploit it to the fullest extent possible. It’s a law of digital life by now. To see it validated once again, just look at what happened to DraftKings last week.
Users of the popular sport-betting app found themselves locked out of their accounts. Upon getting back in, some found that funds had been drained away, totaling $300,000 across all those affected.
This is hardly the biggest hack of late, nor is it the first time that an online sportsbook has been a target. It won’t be the last time, either. In fact, FanDuel, a competing sportsbook, has also reported increased malicious activity though no confirmed attacks. More likely this is an early instance of what will be a long, sustained wave of attacks on online gambling.
Why? For the simple reason that huge (and fast-growing) sums of money slosh around in online gambling accounts – sports books recorded $3 billion in revenue through the first half of 2022, shattering previous records. Highly lucrative, these accounts are also highly vulnerable because people have yet to appreciate the risks of these accounts and take even basic cybersecurity measures. Hackers saw a vacuum waiting to be filled, and it just happened to have a pile of gold sitting inside.
Attacks like the one on DraftKings should surprise no one. Regardless, that particular attack has lessons – for both gamblers and casinos - that could keep this problem from getting much worse.
Online Gambling – Doubling Down on Risk
Criminals go where the money is located. So it’s predictable that casinos, race tracks, and betting parlors have been frequent targets for criminal activity since their inception. Not only do these locations have piles of cash on hand, but it also moves around faster and more freely than it does somewhere like a bank. Also unlike financial institutions, security standards and regulatory requirements are less strict around gambling (especially at underground operations). For all these reasons, anywhere that gamblers congregate looks like a prime candidate for theft.
Online operations are no different; they are a low-risk, high-value target. Except in the case of companies like DraftKings, both those factors are taken to the extreme. Gambling in online spaces lets more people and money collect in one place than any building could ever accommodate. The potential payout of a successful attack is much larger. At the same time, the number of ways to steal online gambling proceeds far exceeds the ways to steal real money. One takes an off-the-shelf cyber attack – the other takes Ocean’s Eleven.
The DraftKings attack is unfortunately a perfect example of the unique cyber risks accompanying online gambling. The perpetrators managed to access people’s accounts using credential stuffing: they used known user names and password combinations – either purchased from the dark web or stolen during a separate attack – to see which ones granted access to DraftKings accounts. Once inside, it was simple to change the bank account information and drain the funds. This means some online gamblers are using the same username/password they use for Amazon or Netflix. Most gamblers are protective of their stakes. That same caution has migrated online yet, and neither have the robust cybersecurity standards we are used to with other kinds of online transactions – DraftKings does not require MFA, for example, which would have prevented this attack.
Some of these problems will be resolved as online gambling matures. But during that same period, cyber attacks will mature as well, and hackers won’t quickly retreat from such a lucrative target. As the money flowing into sites like DraftKings keeps skyrocketing, expect the scale and audacity of attacks to do the same.
Seeing the Bigger Problem
The problems facing online gambling are similar to those facing another industry: crypto. Attacks on crypto exchanges and wallets have repeatedly made headlines, led to billions in losses, and shown all indications of getting worse. The reason why, like online gambling, is lots of money collected in one place – or flying around anonymously – without strong (or even basic) security protections in place.
This strikes me as indicative of a larger problem affecting most aspects of our expanding digital lives, which is a failure to realistically anticipate risks and plan for cyber attacks. With the DraftKings hack and so many of the crypto examples, the level of caution and preparation – on the part of both users and developers – was severely out of step with the risk. To put it differently, we wandered obliviously into the jaws of a tiger. Worst of all, we already knew the tiger was there.
I don’t blame users for recycling their passwords or even blame DraftKings for making MFA optional. The real culprit is a culture that’s still lax on cybersecurity and content to fix problems after the fact. Anyone could have predicted that online gambling accounts or wallets full of digital currency would attract an immediate and aggressive onslaught from hackers. But could anyone explain why security around those targets started off (and still remains) so over-matched?
The answer is complicated, no doubt. And I don’t claim to have the whole thing. What I do know is that if hackers are waltzing into obviously sensitive accounts and making off with huge sums, cybersecurity has some serious ground to make up.
#cybersecurity #DraftKings #gambling #credentialstuffing #crypto
CVE-2023–23752: Joomla Unauthorized Access VulnerabilityMohammad Hussam Alzeyyat March 24, 2023
Apache Zero Days - Apache Spark Command Injection Vulnerability (CVE-2022-33891)Mudassar Zafar March 22, 2023
CVE-2022-44666: Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape vulnerabilityj00sean (https://twitter.com/j00sean) March 01, 2023
KeePass Passwords Theft CVE-2023-240550Youssef Muhammad March 01, 2023
CVE-2022–44267: Denial Of Service in ImageMagickMohammad Hussam Alzeyyat February 28, 2023