Hacking the House: Insights on Social Engineering Tactics

In 2023, cybersecurity was undoubtedly the biggest topic of conversation throughout the gaming world, and for good reason, given the high-profile attacks that rocked the industry. In efforts to change that narrative for 2024, cybersecurity expert Mishaal Khan (l.) breaks down various hacking techniques and how to combat them.

Hacking the House: Insights on Social Engineering Tactics

Last year, multiple renowned U.S. casino operators became the victims of large-scale cyberattacks, setting a chilling precedent for the industry. The attacks, which involved skilled hackers breaching the companies’ security systems, exposed the fragility of the most seemingly secure networks. These incidents are monumental in scope and serve as a grim reminder of the growing intensity of cyber threats targeting casinos.

From the classic phishing scams to the more intricate social engineering and ransomware attacks, the variety and complexity of these threats are as varied as the games on a casino floor. As we scratch the surface of this shadowy realm of digital predators and their evolving tactics, it becomes clear that there is an urgent need for increased vigilance and stronger cybersecurity measures. Through real-world examples, this article will explore how these attacks unfold and provide strategic advice on fortifying defenses against these digital threats looming over the glittering lights of casino resorts, where a single click could open the door to an unseen adversary.

Contrary to the intricate coding and password cracking usually portrayed in films, where a lone hacker types away in a secluded van, real-world cybercriminals often capitalize on human weaknesses to execute successful attacks. Social engineering, a prevalent method in these complex security breaches, leverages publicly accessible information to manipulate targets. This approach includes tactics such as phishing, where deceptive emails are sent, vishing, involving fraudulent phone calls, and various forms of impersonation.

All these techniques are designed to manipulate individuals into revealing confidential information or granting access to protected data and systems.

OSINT

Open source intelligence (OSINT) is a growing field in modern cyberattacks. OSINT involves gathering information from publicly available sources, which can then be weaponized for targeted attacks.

OSINT significantly enhances the effectiveness of social engineering attacks in the casino industry. With thorough reconnaissance, attackers can gather extensive information about their targets, like their interests, work history, phone numbers, emails, family members’ information, and even passwords from older breaches. Using this information creatively lends credibility and persuasiveness to their deceptive tactics.

To counteract the risks posed by OSINT, casinos must prioritize employee awareness about the potential misuse of their public digital footprint. Regular training sessions should be conducted to educate employees about the importance of privacy settings and the risks associated with sharing too much information online.

Social Engineering

Armed with all this information, an attacker will craft the perfect social engineering attack to exploit human vulnerabilities.

Social engineering attacks represent a unique threat in the cybersecurity landscape, particularly in the casino industry. Unlike traditional cyber threats that target system vulnerabilities, social engineering exploits human psychology to gain unauthorized access or information. The most prominent attack method starts with phishing.

Phishing

Phishing remains a primary weapon for cybercriminals targeting the casino industry, where attackers trick employees into revealing sensitive information through deceptive emails or messages. Phishing often advances to the next phase, where the user is tricked into downloading software through a link or attachment that infects their computer. This infection could corrupt the system (Ransomware) or allow remote access to the hackers to exfiltrate data.

In late 2023, the Stake cryptocurrency casino was hacked, leading to the theft of $41 million in cryptocurrencies. Hackers broke into the casino’s hot wallets through a phishing attack and stole various digital currencies. They then moved the funds to different wallets to avoid being tracked.

Examples like these, and many others that have not gone public, underscore the critical need for casinos to implement robust cybersecurity defenses against phishing. This includes comprehensive staff training to recognize and respond to phishing attempts effectively. Additionally, casinos should invest in advanced email filtering technologies, regularly update their cybersecurity protocols, and conduct routine security audits. Implementing multi-factor authentication can add an extra layer of security, reducing the risk of unauthorized access.

BEC

Sometimes the email isn’t “phishy,” or it doesn’t come from a lookalike domain. Oftentimes, the email is hacked and used to fool the other party.

In late 2023, Bally’s Evansville, a prominent casino in Indiana, fell victim to an email phishing scam known as Business Email Compromise (BEC). This resulted in a significant financial loss of over $212,000. The construction vendor they were using had their email compromised. The scammers pretended to be the vendor and had their bank details changed. Trusting the email’s authenticity, Bally’s Evansville transferred $212,000 to the scammer’s bank account, only later realizing that the entire interaction was part of a well-orchestrated phishing scam​​.

Vishing

To enhance the effectiveness of phishing emails, hackers will often follow up with calls, impersonating others. Vishing, or voice phishing, is an increasingly prevalent threat in the casino industry, using phone calls to deceive and manipulate their targets into divulging sensitive information, accessing emails that were caught up in the junk folder, or convincing them to download files that provide remote backdoor access to the hacker.

AI Voice Cloning

With the advancements of AI, hackers are now using voice cloning to make it even more difficult for the victims to recognize the legitimacy of the call.

In early 2020, an elaborate fraud scheme involved deep voice technology to clone the speech of a company director. A branch manager of a Japanese company in Hong Kong, believing he was speaking with his director, was instructed to transfer $35 million for a supposed acquisition. The scam, coordinated with emails from the director and a lawyer, led to the manager transferring the funds. However, it was later discovered that fraudsters had used voice cloning technology to mimic the director’s voice.

This incident is among the first known cases where voice-shaping tools were used for a large-scale financial heist, underscoring the emerging threat of AI technology in cybercrime. Voice synthesis or cloning technology is now widely available to anyone.

For these scams to be successful, attackers first need to obtain their target’s contact details, often through publicly available information. A scammer can take your voice from podcasts, YouTube videos, voicemail, or simply a 30-second call with you over the phone.

This highlights the importance for companies, including casinos, to safeguard sensitive contact information and educate their employees on recognizing and responding to vishing attempts by following strict protocols and verifying using secondary means. Tactics like asking open-ended questions, having them repeat, or asking specific personal questions can expose voice cloning attacks as the human ear can pick up a pre-recorded or robotic voice. Simply hanging up and calling back the person using their known number can disrupt an attack like this.

Impersonation

Impersonating known and trusted entities has been used for physical thefts for ages. With the ease of caller ID spoofing, remote attacks can utilize impersonation attacks much better. A member of the hacker group responsible for the attack on MGM Resorts boasted about the ease of the infiltration. They claimed it took just ten minutes to gain access by impersonating an MGM tech employee, using information inferred from LinkedIn, and then calling the company’s support desk with a password reset request.

This breach of protocol allowed them to gain elevated access and launch a ransomware attack, causing extensive operational disruptions​​ of approximately $100 million in losses, primarily in rebuilding its IT systems. The stolen data eventually leaked. This incident underscores the critical need for vigilance in verifying the identity of individuals requesting sensitive access.

Ransomware

Most attacks will use a combination of tactics to be successful. Caesars Entertainment suffered a ransomware attack following a social engineering scheme targeting an outsourced IT support vendor. The attackers were able to steal data from Caesars’ loyalty database, exposing sensitive information such as driver’s licenses and Social Security numbers. This breach, leading to a $15 million ransom payment, highlighted the significance of securing third-party vendor relationships against such attacks.

The examples of MGM Resorts International and Caesars Entertainment demonstrate the urgent need for robust defenses against social engineering, highlighting that even the most secure organizations can fall prey to these human-focused cyberattacks.

Insider Threats

An often overlooked yet critical aspect of casino cybersecurity includes insider threats. Insider threats come from individuals within the organization, such as employees, contractors or business partners who have access to sensitive information and systems.

These threats can manifest as deliberate theft, sabotage, or inadvertent errors leading to security breaches. In the past, we have seen malicious insiders siphoning off funds that only got noticed because of routine audits. Insider threats are particularly challenging to detect and prevent because they involve individuals who legitimately have access to the casino’s systems.

Imagine an IT systems administrator who has remote access to critical systems. How well are we protecting their access and monitoring their activity? Are the employee onboarding and offboarding procedures locked down? Is the employee collaborating with a hacker for financial gain, or are they simply disgruntled?

Insider threats pose a unique challenge to casino cybersecurity, necessitating a blend of technological, procedural and cultural approaches to manage the risk effectively. Rigorous vetting, background checks, monitoring access controls, audits and awareness training help reduce the impact.

Layered Approach

A multi-faceted strategy is essential to counter the myriad of cyber threats facing casinos effectively. This is often termed as defense-in-depth or a layered approach in the cybersecurity world. The idea is that if hackers can bypass one layer of security, additional layers are presented to stop the attack. To mitigate social engineering and OSINT risks, casinos must control public information, regularly audit digital footprints and verify identities meticulously.

Comprehensive employee training and robust email security configurations are crucial for phishing and BEC attacks. Regular data backups, software updates and a strong incident response plan are key in facing ransomware threats.

Insider threats require rigorous employee vetting, strict access controls and regular financial and data audits. Regular security awareness sessions and simulations can help staff recognize and report suspicious activities. Casinos should also regularly review and secure vendor and third-party relationships, as these can be exploited as entry points for attackers.

Across all these domains, fostering a culture of cybersecurity awareness and implementing advanced technological defenses like multi-factor authentication and network monitoring will bolster the casino’s resilience against these diverse and evolving cyber threats.

As an “ethical hacker,” I always say, “If you haven’t tested it, it doesn’t work.” Finally, test your security by proactively hiring ethical hackers to simulate actual attacks and provide actionable advice on protecting against them.

Articles by Author: Mishaal Khan

Mishaal Khan is a subject matter expert in cybersecurity, Open Source Intelligence, social engineering, ethical hacking, and privacy. Mishaal has worked with multinational companies for over 20 years, securing their networks and providing executive-level consultancy as a Chief Information Security Officer (CISO) to manage risk and avoid breaches. He will be a speaker at the World Game Protection Conference in Las Vegas, February 27-29, 2024. www.worldgameprotection.com/

**GGBNews.com is part of the Clarion Events Group of companies (Clarion). We take your privacy seriously. By registering for this newsletter we wish to use your information on the basis of our legitimate interests to keep in contact with you about other relevant events, products and services which may be of interest to you. We will only ever use the information we collect or receive about you in accordance with our Privacy Policy. You may manage your preferences or unsubscribe at any time using the link in our emails.