Continent 8 (C8) has been securing iGaming businesses and data for almost 25 years, initially against DDoS attacks but now through a host of MSSP (Managed Security Service Provider) solutions, providing a multi-layered offering to customers.
Based upon this experience, and recent documented attacks against major operators like DraftKings, Justin Cosnett (Chief Product Officer) has provided a quick reference guide to the recent attack types, and what can be done by iGaming and online sportsbook operators to prevent or protect against them.
Recent Attack against DraftKings
As widely reported (example from the Register) in November 2022 DraftKings (the American daily fantasy sports contest and sports betting company) customers’ were the victims of an attack which reportedly siphoned off as much as $300,000 from accounts.
Whilst Draftkings own systems weren’t breached, the attack against customer accounts caused significant impact for end users, and wide coverage. Such events occurring can result in reputation damage and potential loss of unhappy customers, to other operators.
The attack form reported was ‘credential stuffing’ – effectively usernames (often email addresses) and passwords which had been exploited or compromised from elsewhere – were being used to gain access to the same customers of DraftKings. Human nature drives people to use the path of least resistance, and when it comes to login credentials, many people use the same details for many different websites, making an exploit easier for attackers.
Login details, bought and sold on the dark web, can be combined with automated software to launch thousands or millions of brute-force logon attempts.
Sites like iGaming and sportsbook operators are attractive targets, as customers will often have a balance of funds available to easily transfer out, and the growth of the industry will lead to a perceived growth in the expected value which can be extracted
How to Prevent
This type of attack has several potential ways to limit or reduce its potential for damage:
User Education and Action
- Using different passwords for different sites – it’s simple to say but often difficult to action – users have hundreds of online accounts nowadays and the temptation to re-use a password is high. There are tools which can be used to store passwords and many of these nowadays (Apple’s keychain for example) will assess and report on password re-use and even known compromised accounts
- Using 2FA/MFA (two or multi-factor authentication) when its available – this isn’t fool proof, but can prevent or limit blunt-force credential stuffing attacks
- Mandating 2FA/MFA – Making this an optional or even not the default authentication method can not only leave customers prone to this type of attack; but can be used against the user following initial exploit logon (as some users reported in this attack). Attackers can enable the MFA AFTER compromising the account to give adequate time to then siphon off user monies or other data
- Using a WAAP (web application and API protection) or WAF – for credential stuffing defence. Similar to the Apple Keychain function for the end user – the WAAF provider will have obtained the same lists of compromised user credentials and use that database to identify attempts to use these accounts. Operator administrators can then setup the WAAF to take various actions including logging, alerting, or just blocking – using the intelligence to prevent an attack on behalf of both the user and also to the benefit of the operator
- Using a WAAP (web application and API protection) or WAF – for connection limits Whilst also possible to be coded into an application, this allows an operator’s administrator to use the WAAP to minimise the number of user logon attempts in terms of count, and render a logon disabled for a period or until authenticated.
Continent 8’s WAAP Protection
Our WAAP (previously known as WAF – Web Application Firewall) protects against Account Takeover including specifically Credential Stuffing.
The Account Takeover feature allows you to detect and protect against account takeover threats. Our Cloud WAAP tracks the authentication URL to an operator’s website and identifies all user access. Attack logs reference the username and additional protection capabilities such as Credential Stuffing Protection and Session Fixation Protection.
Continent 8’s Cloud WAAP uses a user tracking rule to track users. When Continent 8 Cloud WAAP detects users that match the criteria you specify in the user tracking rule, it stores the session ID and username.
The solution tracks only users who have logged in successfully. It uses one of the following methods to determine whether a log in is successful:
- The response matches a condition the operator specifies, such as a return code, a specific redirect URL or a string in the response body.
- If the response does not match a condition in Authentication Successful Condition, C8’s Cloud WAAP uses the default results failed.
NOTE: Our Cloud WAAP stops tracking users when either of the following two events occur:
- The user request contains the log off URL that the operator specifies
- The session is idle for longer than a session timeout value
Enabling Credential Stuffing Protection will utilise a defence database to prevent against Credential Stuffing attacks. When this setting is enabled, our Cloud WAAP will evaluate the username (Username Field) and password (Password Field) of the matched login requests against the Credential Stuffing Defence database to identify whether the paired username/password has been spilled.
We have uniquely combined the benefits of Fortinet’s Fortiweb capabilities, with the Continent 8 DDoS protected global private network and edge cloud – to provide a WAAP tailored for iGaming. We protect via an in-line cloud between users and the operators’ systems, to reduce latency and expand reach, to best suit iGaming locations.
Justin Cosnett, Chief Product Officer at Continent 8 Technologies
Is your information protected? Do you have the safeguards in place to protect your web applications and APIs?