The popular online betting platform DraftKings has been targeted by credential-stuffing attacks — allowing cyberthieves to make off with around $300,000 in ill-gotten funds so far.
One of its rivals, FanDuel, also said this week that it’s seen an uptick in account takeover attempts against its customers.
Credential stuffing is a tactic where cybercrooks try to compromise accounts by using lists of username-and-password combinations gleaned from previous breaches, often purchased on the Dark Web. They bank — quite literally — on account holders reusing their email addresses and passwords across multiple accounts, so that a credential phished from, say, a Netflix user will work against higher-value targets like financial or online-gambling accounts.
Starting this weekend, reports on social media began cropping up from DraftKings users, complaining that they had been locked out of their accounts and their funds drained. The company soon confirmed the activity.
“DraftKings is aware that some customers are experiencing irregular activity with their accounts,” Paul Liberman, DraftKings’ co-founder and president for global technology and product, said in a media statement on Monday. “We currently believe that the login information of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information.”
While the number of accounts affected is unknown, the company said that about $300,000 in funds have been drained so far, and that it intends to “make whole any customer that was impacted.”
Cybercriminals Eye World Cup & More
The increased activity could be due to the confluence of the NHL and NBA seasons starting, and the NFL season entering the make it-or-break-it phase before the playoffs — and, of course, the 2022 FIFA World Cup kicking off over the weekend.
“Online gambling sites are attractive targets due to the large amounts of money that are wagered on a daily basis,” Chris Hauk, consumer privacy champion at Pixel Privacy, tells Dark Reading. “Many customers let their winnings ride (don’t cash in when they win) so they have balances they can wager for the next game, match, or other sporting event. This is particularly true now, as the World Cup is now being conducted in Qatar, as soccer matches are attractive to bettors.”
And indeed, DraftKings is not alone in seeing an uptick in attacks; one of its main competitors, FanDuel, told CNBC that it has also seen increased account targeting (though no confirmed compromises so far). Yet amid the increased cybercriminal interest, the success of the DraftKings attackers points out an ongoing issue with user awareness, according to James McQuiggan, security awareness advocate at KnowBe4.
“As many data breaches and attacks have occurred, people still don’t realize the implications of having their bank accounts attached to their gambling accounts. If not protected adequately, they can be subject to theft,” he says. “Most of the time, people don’t think it will happen to them and lack the awareness of the various attacks and lengths that cybercriminals will go to steal their money or identity.”
The stakes are high for online gambling businesses too. “DraftKings and other online betting sites could see their reputations suffer if they are targeted by attacks like this,” Hauk says. “Bettors may lose their faith in the sites as to whether they are secure and can keep their bettors’ balances safe from being drained by bad actors.”
More Robust Multifactor Authentication Is Needed
DraftKings, like most online account providers, offers two-factor authentication for users as an option. But it’s not required.
“DraftKings does not force users to enable two-factor authentication on their accounts,” explains Paul Bischoff, privacy advocate at Comparitech. “The only exception is Connecticut, which requires DraftKings to force-enable two-factor authentication for all accounts geolocated there. I think this is a mistake given how much money is at stake. Hacking accounts with 2FA enabled would require a further attack to acquire the one-time codes, which makes them far less vulnerable.”
Given what’s at stake for the business and its customers, Hauk notes that putting more robust protection options in place for users should be an imperative, starting with requiring, at the very least, 2FA that relies on one-time passwords sent via text or email.
KnowBe4’s McQuiggan notes that there are also mechanisms for encouraging better user choices.
“Companies’ approaches should also [include the ability to] cross-reference passwords against known passwords involved in breaches,” he explains. “If the users are using simple and breached passwords, they should request that the users reset their passwords to unique and secure passwords.”
That said, while these measures could remove some low-hanging fruit, simple 2FA can of course be subverted without too much effort. Thus, researchers note that the proper way to secure accounts would be with FIDO2-approved authentication methods, using non-phishable MFA. But unfortunately, we’re not likely to see that implementation anytime soon, given that it’s often difficult for these types of companies to adequately balance the user experience with security.
“Much of it comes down to risk-based assessments of the risk of an attack versus the costs to implement more robust MFA applications or features,” McQuiggan says. “The gambling sites also want to make it simple for people to log into the platform; if it’s too complex, the users will go elsewhere to play. Most users nowadays are familiar with the SMS code, and while it’s one of the weaker MFA methods, it’s easier for the users to complete account access.”