Q&A: Continent 8 on the latest cybersecurity risks facing the industry

The global online gambling industry is one of the most attacked, with operators having to defend against a range of cyber threats. Not only is the volume of attacks on the rise, but so too is the complexity and sophistication of these attacks.

One area where operators are particularly vulnerable is their reliance on web applications and APIs, with the average operator using between 20 and 100 for both consumer-facing and internal aspects of the business.

Here, Craig Lusher, senior product specialist at Continent 8, details why attacks against APIs and apps should be such a big concern for operators, what these attacks look like and what steps they need to take to ensure they are protected.

EGR: Most online gambling operators are heavily reliant on third-party providers. Does this leave them more exposed to cyber attacks?

Craig Lusher (CL): Operator reliance on third-party solutions and in particular APIs and apps does increase their attack surface area and make them more exposed to cyber attacks. In most cases, operators work with tens or even hundreds of partners to run their sportsbooks and casinos including platforms, games, odds, payments and KYC. They are also used for back office and internal operations.

These APIs and apps are mission-critical both when it comes to delivering the player experience and protecting players and ensuring regulatory compliance. They are also important to the successful running of the wider organisation.

This importance and wide attack surface area do not go unnoticed by cyber criminals, and that’s why it’s vital for operators to protect the apps and APIs they use.

EGR: Can you share some insights into the volume of attacks being launched against APIs and apps?

CL: The volume is high and has surged in recent months. In fact, Cloudflare reported a 300% year-on-year rise in web app and API attacks last year with the igaming industry recording a 36% increase. According to Akamai’s State of the Internet Security report, API abuses increased 681% from 2020 to 2021. Both Gartner and Akamai say that attacks against APIs are one of the fastest-growing attack vectors and are set to be the number one attack vector. To put this into context, in 2020 there were more than 246 million web application attacks against the gambling industry, representing 4% of the 6.3 billion attacks tracked globally by Fortinet.

Web apps are the initial point of compromise in over 40% of breaches according to Verizon’s 2022 Data Breach Investigations Report. Manipulated web requests and XSS were among the top vectors. The volume of attacks being directed at businesses around the world is on the rise and the next figures to be published will undoubtedly show a jump in the number of attacks specifically against APIs and apps.

EGR: Where are APIs and apps used the most by operators? Is there a greater prevalence in some areas of the business over others?

CL: There are two categories of API usage, one in which operators produce APIs and offer services to third parties/other parts of the business/users, and one where they consume and use third-party APIs. When producing and offering APIs, it is the operator’s responsibility to ensure they protect them. There are hundreds of APIs that operators could consume from third parties and as part of their security due diligence, they should ensure that the third party has adequate protection for their APIs, so as not to compromise the operators availability.

APIs and apps are used across all areas of the business, from consumer-facing applications such as the websites through which players place bets and play games, to payment processing systems, partner integration systems such as those used to generate odds and provide slots and back-office systems used for accounting and customer support. Depending on operator size, we have identified ~25 different types of APIs that an operator could produce and therefore have the responsibility to protect.

Some examples here could include gaming platforms, mobile, live streaming, customer support, content management, account, affiliate and VIP management solutions, dev ops tools, infrastructure tools, security monitoring and logging, business intelligence and analytics, infrastructure and marketing automation among many others.

EGR: What attack types are usually launched against APIs and apps?

CL: The OWASP (Open Worldwide Application Security Project) Top 10 is a list of the most exploited vulnerabilities in web applications. OWASP also produce a top 10 list of most exploited vulnerabilities for APIs. Broken Access Control is top of the list and is now the most exploited vulnerability in web apps whereby attackers access resources or functionality that should be restricted by exploiting missing access controls. This allows privilege escalation or data access – 94% of applications OWASP tested contained some form of broken access control. Second on the list is Cryptographic failures. These are failures related to cryptography which often lead to sensitive data exposure or system compromise. Third on the list is Injection, which includes Cross-Site Scripting – 94% of applications examined tested for some form of Injection. Injection attacks are when an attacker attempts to inject malicious code or commands into inputs that get processed by an application, like SQL injection, OS command injection, etc. These can be used to breach databases and access data or execute unauthorised actions.

ChattyGoblin malware attacks originating from China and have been used to attack online casinos in the Philippines by posing as legitimate resources enticing users to interact. In 2022, a major US operator suffered a Credential Stuffing attack whereby $300,000 was stolen and the data of 67,000 users was compromised. These attacks can all be protected by WAAP (Web Application and API Protection) tools.

Another example of an attack is Layer 7 DDoS. While not an exploit in the API or application, it is an attack designed to overwhelm a web application with traffic that appears to be legitimate, such as HTTP requests or API calls, but it is not. By targeting the application layer, the attack can consume server resources which in turn can slow down or crash the app, making it unavailable to the player or service. The attacker’s aim here is to disrupt the normal functioning of the application or API, perhaps with a ransom then issued for the attack to be called off. Layer 7 DDoS attacks do not necessarily produce a large volume of data as per Layer 3-4 attacks, but produce a lot of requests, which in turn overwhelms the application rather than the network components.

EGR: What is the most effective way for operators to protect against these attacks?

CL: Continent 8 always recommends taking a multi-layered approach to cybersecurity in general as this ensures adequate protection for each attack vector. This applies to Layer 7 attacks specifically against apps and APIs with a box of tools required to ensure protection from numerous Layer 7 vectors. Some of the key tools that should be in the box – a web application firewall, API protection, DDoS protection, bot management and protection, credential stuffing prevention, access control and certification, data loss prevention and threat intelligence analysis – all of which is covered in Continent 8’s WAAP (Web Application and API Protection) which prevents hackers gaining access to internal systems. An EDR/MDR and SOC/SIEM service can identify and remidiate malicious applications, behaviour or breaches if a hacker or malware actually gains access to the network.

EGR: Can you tell us a bit more about web application firewalls, API protection and DDoS protection?

CL: A WAAP service contains WAF (Web Application Firewall), API Protection, Layer 7 DDoS and Bot Management tools. A WAAP service blocks attackers from exploiting vulnerabilities in the software running a website or web application. It does this by using signatures, rules, reputation lists and behavioural analysis. AI and machine learning are used to identify potential malicious use of a website and subsequently block attacks, whilst allowing legitimate requests through. Continent 8’s Cloud WAAP can also identify vulnerabilities within a customer’s website and AI can scan applications for vulnerabilities and help defend against attacks by suggesting new rules that improve protection and the security posture. This means operators can bring new features to the market quickly and have the security aspect managed and the threat mitigated automatically. API protection is another layer and secures the API from unauthorised access, data leaks and attacks, helping to safeguard intellectual property and sensitive data. The next layer is DDoS protection, which absorbs and filters malicious traffic to prevent service disruptions. In addition to the security services available, our WAAP also offers origin load balancing, global CDN, content acceleration as well as a wait room feature.

Highlighting these tools is a great way of showing how a multi-layered approach actually works and why it’s the most effective way of ensuring resilience. By having a WAAP toolkit, operators can pretty much mitigate the risk of falling victim to a successful attack via the web apps and APIs they use.