Risky business: how humans are vulnerable to cyber crime

11 February 2020

Ahead of the return of TV show Hunted this week, one of its hunters told a panel at ICE that cyber criminals are increasingly targeting humans rather than networks and that this has implications for igaming.

It’s long been normal practice for organisations to look at candidates’ social media activity to determine their suitability before hiring them and also to monitor this once they’ve joined the team.

Obviously if someone is posting about illegal drug use or expressing offensive views it’s going to count against them either becoming or remaining employed.

But even the more mundane and seemingly innocuous sharing of information online can pose a big risk to businesses, the audience heard at last week’s cybercrime keynote session at ICE.

The dangers of our oversharing culture

Ben Owen, the cyber-security consultant dubbed ‘the Boss’ on UK broadcaster Channel Four’s gameshow Hunted, said the trend towards oversharing among employees had big implications for igaming firms.

“We live in a world now where fortunately or unfortunately, however you look at it, we put our breakfast, lunch and dinner on social media,” he said.

“We give away too much information. It’s great for us because that is what we’re paid for, to exploit and find the loopholes, really bad for businesses and individuals that are concerned about their business and personal security.”

On Hunted, a show where contestants have to try to evade capture for up to 28 days, though the team do use physical tools such as CCTV, Owen said 90% of fugitives were caught because of information found in the digital space.

And while Hunted may be just a television show, the ease with which the investigators can get a “digital window” into contestants’ lives is something criminals have also picked up on, said Owen.

He said that very quickly criminals can now carry out a “pattern of life” analysis that tells them where a person lives, who is in their family, what car they drive, what route they take to work and what pub they drink in, among other things

They can then use the information to blackmail targets to carry out cyber attacks at their workplaces.

For example, they might tell a target to, “go to a piece of hardware and plug a USB stick in, because if they don’t we will tell their wife or husband something that the wife or husband might not know.

“It is used universally across the globe by spy agencies – it is a well-known tactic – and it absolutely works in this environment as well.”

Shift in approach

Ironically, it is in part the sophistication of the igaming industry that has led criminals to favour such tactics.

“In the gaming industry, of course you employ the best IT individuals you can possibly get your hands on, you are going to have the bet software, the best tools, the best IT equipment you can have.

“So really if I am an adversary, I am not going to go through the conventional route of trying to hack into your systems. It is going to be too difficult unless I get really lucky,” said Owen.

“What we are finding more and more now is that hackers and adversaries are becoming a lot more complex and a lot more shrewd.

“They are getting the inclination to find that back route into that organisation. They don’t want to do the approach via cyber networks because networks and IT experts are getting much better year on year.”

Data risk

One common back route used by criminals is to purchase hacked subscription lists. In his presentation, Owen gave as one example his own previous membership of a flexible gym service

He demonstrated that he had been able to buy online both his email address and password for the service, which had been breached.

“The more we subscribe to, the more vulnerable we are, the less we have control of our data. We could sign up for 10 social media sites or online subscriptions but we don’t know what the organisations are doing with that information. In this instance they weren’t doing very well.

He said it was common for subscription lists to be breached and that breach lists could be purchased by criminals from dump sites for as little as £1.50.

Commonly, they then use that information to extort money from individuals, he said. Typically they email targets to let them know they have their email address and password and suggest they also have incriminating webcam footage of the target that they will release online unless a ransom payment is made, usually in bitcoin.

“Most people just pay it because they think, well how have they got my email address and how have they got my password? It must be legitimate. And they are just chancers. They will do it in bulk and send it out to 200 people.”

Indeed, in early 2019 cybersecurity software firm Symantec said it had seen a revival of this type of email extortion since mid-2018. In the first five months of 2019 alone, it said it had blocked 289 million such extortion attempts.

In the US, the FBI Internet Crime Complaint Centre’s 2018 Internet Crime Report said the agency had received more than 50,000 complaints about this type of extortion attempt, a 242% rise on the previous year. It said consumers had lost more than $83m to these scams, typically handing over virtual currency.

“The majority of extortion complaints received in 2018 were part of a sextortion campaign in which victims received an email threatening to send a pornographic video of them or other compromising information to family, friends, coworkers, or social network contacts if a ransom was not paid,” the report said.

Business implications

It would be easy to assume that if such scams affected igaming employees, it would be on a personal level, but Owen said the increasing crossover between work and personal lives means it also has implications for businesses.

“You will find more and more now people are using their corporate emails to subscribe and sign up for personal accounts online because they think it is obfuscation, just using work mails, and that is where it becomes really difficult for organisations to keep it clean and sanitise the work versus the personal.”

If a criminal wants to target a company, it can simply search the company for breaches. “If I wanted to look at an organisation, I could look and scan that whole domain, say joebloggs.com, so I can find whoever has been breached in that organisation. It gives me a list of who has been breached and what emails they are using and their passwords.”

Worryingly, Owen’s search on a number of casino domains threw up a large number of breaches: 58 at Hippodrome Casino, 83 at Genting Casinos and an alarming 1,458 at the Venetian.

Owen said it was imperative that gambling companies invested more in assessing the human component of the cyber risks faced by their business and that any vulnerabilities should be addressed immediately.

“As organisations we just need to be really mindful about human vulnerability. Yes, we can spend millions of pounds on recruiting the best IT experts, getting a really good leadership team in place, getting the best tools on the market, but what about the individuals that work there?

“A full cyber threat assessment should be undertaken with a view on the people and not the technology. Humans are fallible.”