YOUNGSTOWN, Ohio – Online sports betting has delivered to cybercriminals a fresh opportunity for theft, and they like their odds.
The crooks often gain access to company databases by targeting employees who are placing sports wagers from their office computer, say security experts. These bad actors can steal passwords or financial information about a company and its clients and then use it in nefarious ways or resell it on the dark web.
But there are ways to keep them out, says Mercy Komar, an internet security expert for L. Calvin Jones Insurance of Canfield. Step No. 1 is to have the IT department block access to gaming or sports betting websites.
Employees should never be allowed to use a company computer to visit a website where financial information or credit card numbers are input and stored. These sites include shopping, gaming and now, sports betting.
“You don’t want to do anything that would jeopardize company security,” Komar says.
Most companies already block certain types of websites, including shopping, gambling and porn. “But maybe they haven’t thought of sports betting until now,” Komar says.
The danger is insidious.
“Once [an employee’s] information is in [a sports book’s] computer system, [that employee] will use it over and over and that opens up the computer system to a cybercriminal coming in from the other direction,” Komar says. “If an employee places a bet, there’s a chance that their company’s information can be explored and stolen. Anyone looking to do a breach can do it through online betting.”
Educating employees on what to look for is another way to protect the office computer system, says Lacy Rex, vice president and cyber strategic leader for Cleveland-based Oswald Companies, a risk adviser and insurance firm.
Sports betting became legal in the Buckeye State on Jan. 1, with dozens of online sportsbooks, and a few brick-and-mortar ones, swarming into the market. Online wagers can be placed via smart phone apps or from desktop computers.
Many young adults have a false sense of security when it comes to the Internet, Rex says, and this can make it easier for criminals. Younger men are the primary clients of online sports books.
“[They] have these beliefs that [all websites] are secure because they grew up with them,” Rex says. “They tend to reuse passwords, ignore system upgrade prompts, accept cookies and other things like that.”
A study has shown that men are more likely than women to click ads and promotions, Rex says.
Cybercriminals have already found the wagering websites themselves to be attractive targets. “Any site that collects financial and personal information, in huge numbers, will be a higher value target,” Rex says. Hackers breached the Bet MGM wagering site in December, she notes, and data from 1.5 million customers was compromised.
The breach was discovered in November, but Bet MGM believe it happened in May, according to BleepingComputer.com.
In a news release, Bet MGM claimed that there was no evidence that patron passwords or customer account funds were accessed, and said it took steps to further enhance its security.
DraftKings, another online sports book, was breached in December. Over 67,000 customer accounts were exposed, resulting in the theft of over $300,000. These cybercriminals gained access through a “credential stuffing” attack, which means they obtained information such as usernames and passwords and used them in attempts to log in to different types of accounts.
These types of attacks are effective against users who use similar passwords on multiple platforms, according to the New Jersey Cybersecurity and Communications Integration Cell, which is that state’s clearinghouse for cybersecurity information.
The goal of cyberthieves is always to monetize whatever data they find. For example, they can resell the stolen data on the dark web or use it to intercept a financial transaction to get banking information, Rex says. They could also sell access to the website on the dark web or leave ransomware.
The gaming industry regulates gambling websites to ensure their security.
“But anyone is vulnerable,” Rex says. “It’s just a matter of finding some sort of weakness. No organization is bulletproof.”
Users can do their part to protect the personal information of themselves and their companies.
“Good password hygiene is critical,” Rex says. “Don’t reuse passwords.”
So is multifactor authentication when logging in.
“Multifactor authentication is important, but we’ve found employees getting authentication requests and accepting them, even though they didn’t initiate it,” Rex says.
The reason is because some “phishing” attempts are very sophisticated and fool users into thinking a message is legitimate. “You can’t tell that it’s fake,” she says.
Should an employee feel that he might have been taken in by a phishing attempt, Rex urges them not to ignore it.
“If you’re not sure whether something you clicked on is bad, raise your hand,” she says. “Hopefully, they feel comfortable enough in their company culture to say, ‘Hey, I screwed up’ and go to the IT department.”
The use of DMARC – Domain-based Message Authentication, Reporting and Conformance – is another weapon in a company’s online defenses. It’s an email protocol that can detect and block fraudulent email.
Cybersecurity, Rex says, should be on the minds of everyone in the office, and not just the IT department.
“We’ve seen fraud happen with messaging apps with large companies,” she says.
With the launch of online sports wagering, now is a good time for employers to impress upon their workers the need to be careful of what they click.
Malware can be in a ‘spoof’ – or counterfeit – ad, Rex says. One click will take you to a website that looks legitimate but isn’t.
Once a person has placed a wager with an online sports book, he will get bombarded with ads from other ones – and some of them might be spoof ads, and not from legitimate sports books.
Malware can also enter a computer system when a worker opens an attachment. “It could have malware embedded in it that could track keystrokes to gain logins and passwords,” Rex says. “That is why multiple authentication is so important. Multiple passwords help stop fraud by making it more difficult for [cybercriminals] and can also trip some detection tools.”
Cyber crooks have even been known to drop thumb drives with embedded malware in office parking lots in hopes that an employee will find it, bring it to his desk and plug it in.
Rex says a company can boost security by knowing cybercriminals’ tactics.
Email phishing campaigns are often used to crack into a company website. Rex strongly urges all employees to never click on a link, email or website that they don’t trust.
Much like how every natural disaster spawns fraudulent efforts to collect donations, online sports wagering is also seen as a fresh opportunity for cybercriminals. Because it’s new, the public is not as wary and is therefore easier to trick.
“We urge companies to get the best security they can find,” Komar says.
Pictured at top: Sports betting websites are attractive targets for cybercriminals.