New Type Of Hack Simultaneously Attacks 2,500 Gambling Sites

Home » Poker News » New Type Of Hack Simultaneously Attacks 2,500 Gambling Sites

Wednesday, September 7th, 2016 | Written by Stephen Smith

As hackers become more sophisticated, websites have had to become better and better at stopping their traditional attacks. While hackers hoping to profit from illegal online activity may choose to target any type of website, last year it was the online gambling world that became the center of a type of hack that experts had never seen before.

About the Hack

The hack in question impacted players at nearly 2,500 online gambling websites around the world. All of the sites had one thing in common–they featured a certification badge from the Gaming Portal Webmasters’ Association (GPWA). Ironically, the GPWA badge is meant to show that a site was trustworthy, but in this case, hackers exploited vulnerabilities in the GPWA protocols to make those websites bearing the symbol anything but safe.

When players logged into one of the affected sites, they would see odd pop-up windows with affiliate links. If they clicked on links to the products, an affiliate code was sent to a retailer like Amazon that would end up earning the hackers small commissions whenever people made purchases online.

While the hack didn’t cause any of the players to lose money, it likely was profitable for the cyber criminals and managed to uncover vulnerability in websites that no one had conceived of before.

How the Hackers Did It

Without getting too technical, it’s necessary to understand a bit about how websites load if you want to understand how these hackers managed to infiltrate 2,500 gambling sites at once.

When you access a website, your computer requests a page from a specific address. A server is subsequently accessed and the information is sent to your computer, so that the website can load. With the websites that were involved in the injection attack, a duplicate request was also sent to the server controlled by the hackers so that the players’ computers either received information from GPWA.org, or the malicious QPWA.org site registered in Romania in order to load the aforementioned certification badge. In most cases, the QPWA.org information would arrive first.

Never before had hackers used remotely loaded elements to launch a hack in this way. The attack was so novel that three security researchers did an entire presentation on it at a Black Hat conference.

Attack on Network Level

What made this new type of attack so effective was the fact that while most hacks usually take place on the servers, the one last year occurred on a network level. This is what made the attack so hard to spot, because gambling site analysts are usually on the look out for suspicious behavior by monitoring their traffic, and as explained in an article by thesecurityblogger:

“In fact, if one were to look at server logs, no strange behavior would be noticeable. It is the discreet nature of the breach which allowed for such a mass attack such as this one. As a result, homepages were rerouted to a dummy Romanian site and affiliate ID’s and tags were haphazardly being inserted throughout scripts.”

Tightening Security

Since the attack, the GPWA has once again been secured, while the Romanian website where traffic was redirected to has been taken down. The case has since been widely reviewed by security analysts across all industries because while gambling sites were the target this time around, this type of injection attack could just as easily involve sites in any niche. In the meantime, though, the script used to effect the hack and infiltrate the systems continues to baffle analysts, as does the identity of those who were responsible for the attack.

Nevertheless, one theory suggests that the hack may have originated from a rival gambling operator, as last year some gambling companies were found to have attacked their competitors in order to gain an advantage in a saturated industry. Elaborating further, the thesecurityblogger article stated:

“Investigations and legal trials are still ongoing for this particular case, but suspicions arising around their implication in this mass-scale compromise has risen within industry leads. Such an intricately engineered attack would require a very specific knowledge of industry systems.”

Others, however, have questioned whether a rival company would be prepared to go to such lengths in order to gain an edge over the competition.