Cybercriminals Continue to Target Online Gambling Platforms
By Luke Rodeheffer
The size of the online gambling industry is expected to approach $75 billion by 2024, driven largely by technological advancements and favorable regulatory shifts. This projected growth presents ample opportunity to companies operating in the industry, but it comes with the drawback of attracting unwanted cybercriminal interest.
The online gambling industry has often been a pioneer in developing anti-fraud and device-fingerprinting technology to prevent the abuse of its platforms. But as cybercriminals continue to refine their methods, organizations in the industry must remain mindful of the following threats:
Account Cash-Out Schemes
One common cybercriminal tactic is to cash out balances on compromised online gambling accounts. Online gambling accounts can be compromised through brute forcing activity, botnets, or credential-stealing malware sold on underground forums. Compromised accounts are sold for varying prices depending on the age of the account and the amount of money in the balance.
Fraudulent Account Creation
A related cybercriminal activity is the creation of fake user accounts on gambling platforms, which are used for money laundering, whether it be for funds extracted from compromised gambling accounts or the fruits of other financially motivated schemes.
Cybercriminals use a variety of different technologies to establish fake accounts on gambling platforms. Flashpoint analysts observed a Russian-speaking actor advertising servers capable of creating accounts on leading gambling platforms without detection on their Telegram channel. Analysts have also observed users on a lower-tier, Russian-language cybercrime forum discussing that same actor’s anti-detect software to create dozens of accounts within a 24-hour time frame on some gambling sites, though they acknowledged the service was less effective on certain gambling platforms with more sophisticated anti-fraud protections.
Mobile proxy abuse is also being leveraged to create fraudulent accounts, with one notable Russian-language proxy service advertising its ability to create fraudulent accounts on gambling sites and providing tips on the security and document verification systems used by several high-profile online gambling platforms. On its homepage, the service falsely claims to have partnerships with some of these platforms, stating that users are able to “make bets on any gambling website without any risks,” and “trust our professional team to allow users to make multiple accounts across platforms.”
Partnerkas and Traffic Arbitrage
Many online gambling platforms rely on online advertisements to attract new users. In some cases, gambling platforms rely on affiliate systems that place its ads on other sites. These affiliate systems often overlap with the cybercriminal underground, however, especially those based in Eastern Europe, where they are known as partnerkas. In the past, partnerkas have received law enforcement and media scrutiny for directing web traffic to illicit offshore pharmacy websites and using botnets to distribute spam or malware via advertisements on compromised web pages.
Working with partnerkas poses significant third-party risk to online gambling platforms, with potential ramifications including reputational damage and the compromise of sensitive customer data. As such, thorough due diligence should be conducted when it comes to all aspects of online advertising.
Efforts to Bypass Security Controls
Flashpoint analysts have also observed Russian-speaking actors advertising services they claim are capable of bypassing certain security controls put in place by gambling platforms. However, domain records provide no further clues as to who is behind this service.
Distributed Denial-of-Service (DDoS) Attacks
DDoS attacks are another threat for the online gambling industry that have grown increasingly pervasive over the past few years. Since online gambling activity is often conducted in real time, these platforms are particularly sensitive to the latency created by DDoS attacks due to user bases located around the world who require streaming access. In August 2018, the popular platforms PokerStars and partypoker faced extended periods of downtime as a result of DDoS attacks, and a wave of attacks crippled Hong Kong-based gambling platforms in May 2017 that cybersecurity firm Arbor Networks linked to extortion attempts.
The growth of the online gambling industry will only make it a more lucrative target for cybercrime in the coming years. As technology for subverting account authentication and anti-fraud defenses continues to rapidly develop and more accounts are compromised through the proliferation of credential-stealing malware, botnets, and brute-forcing tools, the industry will need to monitor for emerging cyber threats and evolving tactics, techniques, and procedures (TTPs) on an ongoing basis.
Cybercrime Intelligence Analyst
Luke is a Cybercrime Intelligence Analyst at Flashpoint, where he specializes in analyzing cyber and physical threats and actors originating in Turkey, the former Soviet Union, The Middle East, and North Africa. He has extensive previous experience as a freelance due diligence and political risk analyst covering post-Soviet Eurasia and Turkey utilizing extensive public record and open source research. Luke has been published by The Diplomat, Business Insider, Middle East Monitor and George Washington’s International Affairs Review, and his research has been cited in the Wall Street Journal. Luke speaks Turkish, Russian, German, and Persian, and holds a Master’s Degree in Russian, Eastern European, and Eurasian Studies from Stanford University.