My name is Alex and I welcome you to my new web series entitled Paradox in CyberSpace.
Every week, I will be talking about :
- upcoming threats to the igaming industry
- and information technology issues in general
I will also address any questions that you would like me to answer.
My goal is to help you protect your company and assets from cybercrime and to improve your tech department by Streamlining your Work Processes and Improve your Workflow.
In this episode :
Pharming with a twist, or the invisible deception
Let’s talk about what I consider to be an upcoming threat to the igaming industry, targeting your online casino and sportsbook client database.
In this scenario, the target is the prized posession of an igaming website; the player’s e-mail address.
To achieve this, the hackers will be using Pharming attacks who are focused on manipulating a system, rather than tricking individuals into going to a dangerous website.
While the goal remains the same, getting the victim to end up on a compromised website, the mechanisms to undertake it is different.
To understand the strategy, we must first describe the methods employed.
DNS Cache Poisining
Let’s briefly discuss history. More specifically, the history of DNS Cache Poisoning.
In 2008, researcher Dan Kaminsky revealed one of the most severe Internet security threats ever : a weakness in the domain name system that made it possible for attackers to send users to fake websites instead of the real ones.
This works because authoritative nameserver information is cached into other servers called DNS caches.
The cache is usually closest to the client requesting a domain name resolution. It is meant to speed up the replies and offload the authoritative server.
DNS cache poisoning attacks were once popular but were easily averted by randomizing the number of the port sending the request, known as the source port. The only Port used was number 53
The attack succeeds by derandomizing the source port and works on all layers of caches in the DNS infrastructure, such as forwarders and resolvers.
The researchers found that 34% of the open resolvers on the internet are vulnerable, a figure that includes 85% of the most popular DNS services, including Google’s 126.96.36.199 and CloudFlare’s 188.8.131.52
A. Attacker makes a query to a DNS resolver
B. Meamwhile, the Authoritative DNS server is blocked by a DDoS attack to prevent a response
C. The attacker floods the DNS resolver with tons of queries with fake answer with all possible combinations of port numbers and transaction ID
D. Attacker spoofs the IP of the authoritative nameserver to look legit
E. The real IP address is replaced by a fake one in the DNS cache
In this scenario, even if you typed the correct domain name in the address bar of your web browser, you would land on a clone of that website without even knowing it.
Tagret biggest website in one country
Hit them with a DNS poisining attack
Client logs in to legit URL and gives away email and password to attackers.
Even if the attack is discovered within the next 20 minutes the DNS caches would be compromised for the next 48 hours.
During that period the attacker would be able to collect the email addresses of thousands of your customers, maling it worse if the attack is carried out during what is referred to as “payday” in the igaming industry.
This email database of paying customers can then be sold directly to your competitors or over the dark Web.
- Use DNSSEC digitally signed records
- use registry lock
- use 2FA for registar godaddy
- don’t use the customer’s email address as his login.
- Generate a random username for him.
- Don’t use exclusively the client’s email address for password reset, use SMS or 2FA.
The method that I just described is the easiest way for an attacker to get his hands on your customer database and it’s much more lucrative than any other type of attack.
If your competitors get their hands on the email addresses of your paying customers then they have the ability to generate an unlimited amount of recurring income , which is way more lucrative than a one time payoff of a DDoS attack or a ransomware demand.
Bottom line, protect your DNS server with the proper security and isolate the email address of your players because the survival of your business depends on it.