A hacker’s world: how cybersecurity is evolving as attacks surge

September saw two of North America’s biggest gambling operators, MGM Resorts and Caesars Entertainment, have their security compromised. Even though the damage impacted both land-based and online operations, initial hacks in both cases were made through third-party supplier partners, with the true financial cost yet to be established – although MGM estimates its own hit to be around $100m in EBITDA.

For Caesars, the company had a “significant number” of players’ data stolen, including driver licence numbers and social security numbers, alongside a copy of its Caesars Rewards loyalty database. It was reported by news outlets, including the New York Post, the operator paid $15m to prevent that data from going public, although the Associated Press estimates it was closer to $30m.

That the aforementioned duo were hit is proof that size and reputation doesn’t prevent a company from being the victim of a cyberattack, albeit briefly. And it follows a trend of larger operators being targeted. In May 2023, DraftKings suffered a credential stuffing attack where stolen usernames and passwords were automatically entered into its site to gain access, impacting over 60,000 player accounts. That same month, Holland Casino Online was taken offline entirely by a cyberattack against its infrastructure supplier.

At a gaming law boot camp on 6 March 2023 organised by the University of Seton Hall School of Law in Newark, New Jersey, David Feder, a cybercrime attorney with New York City firm Fenwick & West, claimed that “cyberattacks on the casino industry are increasing by 1,000% annually and the average cost of a data breach is $4m”.

Rickard Vikström, CEO of sports betting and igaming hosting supplier Internet Vikings, tells EGR that “we are all vulnerable to cyberattacks”. It’s a point that both Continent 8’s chief product officer Justin Cosnett and cyber-security director Leon Allen are also keen to stress.

Cosnett explains that the online security industry believes the September attacks, as well as Stake’s $41m hack the same month, FanDuel’s data leak in January 2023 and Flutter’s “unscheduled maintenance issue” which affected apps including Fox Bet and PokerStars in February 2022, have struck fear into the rest of the igaming sector.

According to IT security company Imperva’s 2022 DDoS Threat Landscape Report, 25% of gambling sites were attacked in the final month of Q2 last year, 40% in the last 12 months, while 80% were attacked more than once. The report states that in Q2 2022, 10% of gambling sites were targeted in the final week of the quarter. To sum that up in financial terms, the report explains that if an igaming firm generates $1bn in revenue annually, a sustained distributed denial of service (DDoS) attack, which floods a server with internet traffic to prevent customers and users accessing the site, would cost them approximately $115k per hour.

What makes igaming so susceptible to DDoS attacks, according to Vikström, is that the hack needs an uninterrupted online service which this industry provides. “DDoS attacks can disrupt these services, causing significant customer and financial losses as players will do a withdrawal of funds after a site has been down due to a DDoS attack,” he says.

Who’s a bad bot?     

Imperva’s 2022 Bad Bot Report describes bad bots as “software applications that run automated tasks with malicious intent”, with the gaming and gambling industry having the second-largest share of bad bot traffic in 2021 at 53.9%, up by 26.2% on the year prior. That was only surpassed by sports at 57.1%. Bad bots are also used for creating DDoS attacks as well as fraud and theft.

The rise in bot attacks runs parallel to the increased use of AI, which has brought a new form of attacks to the gambling industry. “Cybersecurity has always been a cat and mouse game,” remarks Allen. “It’s always been a game whereby attackers will do something and then defenders will put something in place, and so on and so forth. What we’re seeing now is that AI is just the latest tool, albeit an incredibly powerful one.” On the defensive side, firms are using AI to detect attacks while criminals are using it for more “sophisticated attacks”, he says.

Vikström echoes Allen’s opinion, adding that it’s much harder to detect AI attacks. This had led to suppliers using video calls in the same location to verify password resets, as attacks use both voice and video imitation programs in order to deceive people to gain access to systems.

Imperva’s data also shows that the gaming and gambling industry had the highest account takeover (ATO) attacks ratios of all logins in 2021 at 34.9%, with sports coming in second at 34%. Retail (18.1%), travel (9.7%), telecom and ISP (5.9%), and food and beverage (5.4%) make up the remaining top six. However, the stats go on to show the gambling industry did not experience the largest volume of account takeover attacks by industry in 2021, with that title going to the financial services sector at 34.6%. Gaming and gambling was joint seventh with 2.8%.

Lynn Marks, Imperva’s senior product manager, tells EGR that bad bots play a role in ATO attacks, which is one of the biggest threats to the industry. “In 2022, the volume of ATO attacks soared 155%, accounting for 15% of all login attempts across all industries,” she says. “Given the amount of money that flows in and out of gambling accounts on a daily basis, it’s no wonder such websites make for ideal targets.”

You’ve been hacked

Any successful hack isn’t achieved in the spur of the moment or on a whim by a group or individual, with motivations differing from attack to attack. Their time span varies as well as how long it takes for a company to wrestle back control. Vikström explains: “The ease of recovery and the duration of an attack depends on multiple factors, including the type of cyberattack, the extent of the breach, the company’s preparedness and its cybersecurity infrastructure. On average, it can take days, weeks or even months to fully recover.”

Allen further expands on the worrying realisation following an attack that hackers could have been in your system for months, if not years, and put processes in place to compromise your cybersecurity in the future. He adds it also depends on the type of attack a firm has suffered. “In the event of a ransomware attack, most likely your desktops, laptops or servers have been encrypted.” Though, he notes that “we, in the industry, always prefer no one pays these things” when referring to ransoms.

Looking at the example of a DDoS attack on a sportsbook, Allen highlights how the industry has seen a change in not only who is committing the offence but also the reason why. Whereas in the past it might have been “kids” or “people with too much time on their hands”, it has now become an industry “in its own right”, which is experiencing growth and choosing to cause disruption in advance of a weekend of Premier League fixtures or a slate of NFL games.

Internet Vikings CEO Rickard Vikström says all industry firms face the threat of hackings

“If you can bring down or make unavailable an operator’s website, literally every minute or hour that passes that they can’t take customers is significant amounts of money not being earned and also significant number of customers potentially going elsewhere to place bets,” Allen adds.

This increases around major sporting tournaments, with Imperva finding in its Bad Bot Report that there was a 96% year-on-year increase in bot traffic from 2020 to 2021 – in particular on UK gambling sites when the English national team were playing in the 2020 European Championships held a year later in 2021 due to the Covid-19 pandemic. The Tour de France was another event of interest in the summer of 2021, with bot activity on sporting and gambling sites spiking 52% around the time it was set to start, Imperva research found. It also tallies with what Continent 8 shares with EGR.

Allen says: “If an attacker picks their time and threatens with a ransom note beforehand, they’ve got quite a high propensity potentially to get payment.” This is because hackers are acutely aware that they can do more damage to an operator in “terms of lost revenue than the actual ransom they’re asking for,” he adds.

Using UK players as an example, Marks says because of the predictability of when gamblers play and with almost half of all Brits gambling at least once a year, hackers are able to target betting websites during peak times like the Cheltenham Festival or a World Cup. “This not only means more funds for them to steal, but also the higher volume of traffic makes it harder for gambling companies to identify anomalies and block suspicious requests,” she says.

Education, education, education

Unfortunately for all industries, cyber-attacks are inevitable. The most vulnerable, according to Allen, is the finance sector, given how lucrative it is for hackers not just in terms of what they can steal but also the potential of a huge ransom being paid if a firm feels it has no choice but to give in to demands. Next up is healthcare – especially in the US. “What they’re trying to do is obtain patient records so they can extort and ransom those companies and threaten that if you do not pay this inordinate amount of money, we are going to release patient records, your reputation is damaged and you are opening yourself up to multiple lawsuits,” he says.

Igaming encapsulates both. Attackers get the money they would from targeting a FTSE 100 firm, for example, but there’s also the reputational damage operators want to avoid. “Gaming and entertainment continues to be the third most-attacked vector in all of this.”

It’s an opinion shared by Internet Viking’s Vikström, agreeing that healthcare and finance are the sectors most vulnerable to cybercrime, however critical infrastructure also remains a target. He says: “Critical infrastructure, including energy and water supply, is susceptible to attacks that could disrupt essential services, causing widespread disruption and damage.”

As for crypto, the rationale behind an attack remains the same as other targets but the way they are infiltrated is somewhat different. “The relative anonymity of cryptocurrency transactions makes it appealing for hackers,” says Vikström. And the way these groups are attacking the industry, and others, is ever-changing. What has emerged over the past few years is what he calls “third-party attacks”, where criminals target and infiltrate smaller companies to take down the larger corporations. 

As companies continue to defend themselves from hackers, a new issue has arisen from remote working. Prior to the Covid-19 pandemic, cybersecurity teams would work from an office which would have its own defence systems in place. As more and more staff switched to working from home instead of company premises, it made hacking somewhat easier. No longer do criminals need to attack “that corporate perimeter”, Allen explains. They can now target individual employees and laterally move to the corporate network.

“From a protection point of view, it’s put a lot more emphasis on employee education. Because we’re all working from home, we’re using our devices like we are today as both a work device but obviously you might use that for some personal use as well.”

Unfortunately, these attacks and the ways in which groups, be they small or large, infiltrate the gambling industry are not going away. Regardless of how many defence systems are put in place, there’s always a way in and once that happens, it is imperative that those under duress are well-equipped to take control back. “Preparation is key,” says Allen. “Always assume you’re likely to be attacked and always assume you’re going to be compromised.”

Vikström remarks that there should always be an offline, offsite recovery site because, he highlights: “One thing hackers cannot do, they cannot manually plug a power cable into a server in a disaster recovery site.”