Identity Spoofing Is a Growing Threat to Online Gambling Industry
ThreatMetrix Cybercrime Report, a prominent anti-cyberattack corporation, released data this week showing that “identity spoofing” is the most common way gambling companies are attacked by hackers. Spoofing uses stolen data to collect cash, banking information, and passwords from individuals and companies alike.
The term spoofing might seem like something humorous, but the activity is one of the greatest threats to the global online gambling industry. The BBC describes spoofing as “falsifying the original of an Internet communication to mislead the recipient”.
Because the online gambling community includes 2 billion player accounts, gaming operators are particularly vulnerable to spoofing attacks. The sheer number of casino, poker, and sports betting accounts make it difficult — if not impossible — for companies to verify every gambler as real and not fake.
ThreatMetrix Cybercrime said that identity spoofing attacks were up 27% in the online gambling industry over the past year alone.
What Is Identity Spoofing?
Spoofing allows collusive play on player-versus-player (PVP) games like poker. An identity thief can use a spoofing attack to get control of an inactive player’s account, then collude between the two or more accounts to have better information on the card game.
Spoofing also allows hackers to take control of self-excluded accounts. While a player thinks he or she is on a self-exclusion list and therefore does not pay attention to their activity, the identity thief uses their account information to play with no-risk cash. Such players return to find their account drained, thus leading to another trauma for the problem gambler and bad publicity for the industry.
Malicious Account Takeovers (ATOs)
Some spoofers conduct malicious account takeovers (ATOs), where the cyber-attack targets the accounts of company employees. This allows for credential stuffing, so the hacker can communicate with customers under the (seeming) name of the company itself. With such credentials, a wide range of scams can be perpetrated — once again ruining the finances of the gambler and the reputation of the gaming operator.
Infosecurity discussed how ATOs lead to massive business email compromise (BEC) in a wide range of fields. From April 2018 to June 2018 alone, cyber-security researchers located 60 different business email compromise attacks in 50 different industries.
The study found that BEC attacks can come from anyone in an organization. Only 6% came from the CEO of a company, while 27% came from someone in departments which handle sensitive information. A full two-thirds of BECs come from people in the wider company. While those might be less effective, BECs are a threat to Internet users.
How Business Email Compromise (BEC) Works
Kacy Zurkus of Infosecurity wrote, “Some attackers try to use the hacked email account to launch phishing campaigns that will go undetected, some attackers steal credentials of other employees and sell them in the black market, and others use the account to conduct reconnaissance to launch personalized attacks.”
“The most sophisticated attackers steal the credentials of a key employee (e.g., CEO or CFO), and use them to launch a business email compromise (BEC) attack from the real employee’s email address.”
Once again, online gambling companies are not the only targets of ATOs and BECs, but they are among the most vulnerable of online businesses when it comes to such attacks. When such an attack happens, it can damage a gaming site’s reputation for years to come.
How to Avoid Online Gambling Cyber-Attacks
Players should take precautions the way customers of other online merchants and services do. Barracuda Networks suggests players should ignore any request involving money made via email, until you verify the email is real with a person in the customer service department.
Even if an online casino sends an email for a wire transfer request signed by its acknowledged CEO and carrying its official logo, players should not accede to the request until you have an in-person conversation via phone chat or live chat — but not email conversations.
Like the occasional malware which claims to be from Google or Microsoft, big companies do not contact a person directly with requests for money. Punters must learn to distinguish general marketing emails from phishing attempts, which are much more personal and break the normal boundaries of online commerce. Personal appeals are likely to be identity spoofing by a cyber-hacker.