The recent cyberattacks on MGM Resorts and Caesars Entertainment reflect a sophistication developed by criminal hackers that requires renewed vigilance from operators, according to experts interviewed by security expert Willy Allison at the 19th World Game Protection Conference, held last week at the Tropicana in Las Vegas.
In a session titled “The Human Hacker,” Christopher Hadnagy, founder and CEO of Social-Engineer, LLC an author of the book Human Hacking, said hackers are using technology to refine their ability to penetrate what he calls “human firewalls,” through cons that use AI to scam employees of a given organization.
Hadnagy commented that over the past 10 years, bad actors have used the Dark Web to refine their skills using website designed to educate each other on developing opportunities for cybercrime.
Meanwhile, he said, artificial intelligence has advanced to the point where bad actors can use a “digital mask” to successfully scam people—so-called “vishing,” or voice phishing. He noted that AI permits callers to take away accents, and imitate the voice of important executives in schemes, noting one instance where a hacker impersonated a person’s boss and convinced him to do a wire transfer of $25 million.
He also noted the recent instances in which casino cage managers were convinced their boss was telling them to deliver cash from the cage to locations outside the casino.
He said video phishing also is advancing in AI technology, and advised officials in charge of money to always second-guess and fact-check any request that is unusual. That includes text messages, now vulnerable to another AI method, “smishing,” or SMS phishing.
He said it is vital for operators to stay ahead of the game. “Two weeks ago is like 100 years ago in AI,” he said.
Hadnagy also noted the ease with which ransomware can be downloaded from the Dark Web. He said one reason the MGM ransomware attack was successful was that MGM had insufficient backup systems—a “flat network” in which all systems are bunched together.
Hadnagy described how his company is normally hired to instigate hacks of companies, to reveal where they are vulnerable and advise how to guard against cybercrime. He said it is vital that companies falling victim to attacks share information with other companies, whether or not they are competitors.
Another session at WGPC addressed vulnerabilities of casino equipment and games to hacking. In a session titled “Hacking and Rigging Casino Equipment: Not Everyone Can Do it… But Some Can,” security researcher Joseph Tartaro, a principal security consultant at IOActive, broke down the recent report on the vulnerability of casino card shufflers to hacking.
IOActive audits equipment to reveal how bad actors may compromise it to their advantage. Tartaro described his research project that revealed the vulnerabilities to hacking in the popular Deck Mate automatic shuffler. He was able to show how the shuffler could be altered by bad actors to reveal the order of the deck in a baccarat, poker or other table game, and relay that information to a player, whether or not the player is assisted by a dealer accomplice.
Tartaro revealed how easy the prep work was for the project. He said he was able to download service manuals and public patent information, and to buy an actual Deck Mate unit on eBay, and reverse-engineer the unit (actually, two—the earlier version required a crooked dealer to help; the revised version, with a camera, did not) to reveal its vulnerabilities.
The presentation, which showed how researchers reveal the methods of so-called “Black Hat” hackers, led right into the next session, titled “Call Them What You Want—They’re Con Men!” R. Paul Wilson, world-renowned magician, author of The Art of the Con and expert on the art of deception, emphasized that cybercriminals are basically con men, and the best way to battle cybercrime is to enlist those con men to reveal where a company’s vulnerabilities are.
Wilson likened this activity to “war games,” because as in the military world, companies need to simulate how an attack may proceed. “You need to talk to people who know how to attack,” he said.
Wilson also noted how rapidly the sophistication of scams and cons has accelerated with technology, from old scams like the “Jamaican switch,” where one person tricks another into thinking they need help handling a large sum of money, to advanced attacks that developed after the Covid-19 crisis, when people took their laptops home an operated them with vulnerable home Wi-Fi, to the cyberattacks that are now accelerating against resort casinos and other entertainment venues.
“The world has changed around us,” Wilson said.
As noted by Hadnagy, Wilson said one thing making the hacking problem worse is the fact that victims of hacks are reluctant to share what has happened, particularly with competitors. “Scammers count on that,” he said.
