Navigating Cybersecurity for Online Sports Betting Companies

Thanks to the 2018 Murphy v. NCAA Supreme Court case, sports betting and gambling are legal in 34 states and Washington, D.C. This historic case opened the doors for online sports betting, which has risen dramatically in recent years. New platforms and games are entering the market daily, and research from Data Bridge Market shows that the online sports betting market is expected to reach USD 167.66 billion by 2029. As the industry booms and more and more bets are being placed on more devices, the threat landscape grows exponentially.

A study by SecurityScorecard listed online gambling as being the third most likely industry to experience a cyberattack, directly behind the energy and financial services industries. In 2022, DraftKings experienced a credential stuffing attack during the World Cup that resulted in users being locked out of their accounts and $300,000 being stolen.

It’s not difficult to see why the online gambling and sports betting industry is an enticing target for hackers. Vast amounts of money and personal information are being exchanged online every day so an attack on a sports betting site can be incredibly lucrative. This massive cash intake can be achieved through multiple attack methods — whether bad actors are directly intercepting money through traditional schemes or by manipulating the outcomes of various games to ensure the odds are in their favor.

The most common attack vectors in the sports betting industry

It’s essential for sports betting and gambling companies to know what they’re up against so they can establish appropriate defenses for the most common types of attacks. The schemes bad actors use to infiltrate online gambling companies are relatively common in other industries and should sound familiar to security professionals in the sports betting and gambling business.  However, if your company lacks a security team, you need to make it a priority to familiarize yourself with these types of attacks so you can prepare a strategy that defends against them.

• Social engineering attacks: This category covers several different attack strategies, including phishing, smishing, and business email compromise (BEC) attacks, among others. In the case of the sports betting and gambling industries, these attacks tend to go one of two ways. In one common example, an attacker will create an email that looks like it’s coming from a reputable sports betting or gambling site and asks the user for account information, personal information, payment info, or some form of direct payment. The victim provides that information thinking they are updating their account, only to have their information and funds stolen; or, worse yet, to have the entire account hijacked by an attacker. In that case, a social engineering attack led to a more severe breach – an account takeover.

In the second scenario, bad actors create a fake gambling website that looks legitimate and then proceed to steal the funds of people who think they are placing a real bet. This can be either a fraudulent website pretending to be legitimate, or an impersonation of a genuine gambling site designed to trick people into thinking they’re on the real site.

• DDoS and website attacks: Distributed denial of service (DDoS) attacks are very common in the gambling industry, especially on big game and sport days. During a DDoS attack, bad actors flood betting websites with traffic to the point of crashing the server. From there, they can infiltrate the system to steal information and funds, or they can slow down a website’s ability to update and/or react to real-time events happening during a game; which, in turn, can lead to major reputational issues. The cloud platform company, Akamai reported that three of the six biggest volumetric DDoS attacks the company has ever recorded took place in 2021, with all three targeting the Europe gambling industry and a video gaming company in Asia.

• Insider threats: One of the biggest vulnerabilities in any business’ security posture is its employees. Depending on how systems are configured and how tightly a business controls permissions and access to accounts, employees have significant access to private customer information and system controls. As in other industries, disgruntled employees and employees who are ignorant of cybersecurity best practices can pose a threat to your business. In the gambling and sports betting industry, there are also opportunities for employees to carry out larger crimes. Vulnerabilities in the gambling platforms are often exploited when individuals are aiming to commit fraud or launder money. That makes background checks on all employees vital to businesses in the industry.

• Account takeover attacks: Because many of these accounts house funds, hackers may try to leverage credential stuffing and other tactics to take over accounts in efforts to outright steal funds. In 2022, a teenager accessed over 60,000 DraftKings accounts via credential stuffing attacks. BetMGM and Fanduel were also impacted by these account takeover attacks, especially during busy sports seasons.

• Malware and ransomware attacks: Like many other industries, malware and ransomware attacks are common in the sports betting and gambling industry. What’s unique in the online betting industry is that many sports betting sites struggle to secure advertisers, so they venture to less legitimate sources of ad revenue. Bad actors pay a nominal advertising fee to post malicious ads which then prompt victims to download infected code onto their devices. From there, the hackers steal sensitive information or hold it for ransom. Attackers use the same formula to send malicious code through phishing emails, fake websites, and social media.

• Money laundering and fraud in online sports betting: In addition to protecting against traditional cyberattacks, online sports betting and gambling companies need to take precautions to protect against other forms of illegal activity; these include fraud, money laundering, insider trading, and cheating via manipulating the odds of a game. Money laundering, in particular, is becoming a growing trend in the industry. ​​In fact, according to a recent United Nations report, it’s estimated that up to $140 billion is laundered through sports betting each year. This means that companies in the online sports betting and gambling industry need to take extra precautions to monitor transactions and look for unusual patterns that could point to fraudulent activity, as well as enforce strict regulations and comply with law enforcement as they investigate criminal activity on betting platforms.

Regardless of the type of attack, the consequences for a sports betting and gambling company are huge. On average, data breaches cost companies $4.24 million according to the Ponemon Institute, and can lead to significant reputational damage. When a company is handling large sums of users’ money, one breach is enough to make many users walk away and place their bets elsewhere. In addition, there are a number of regulations set by the United States Federal Trade Commission (FTC) and the European Union’s General Data Protection Regulation (GDPR) related to cybersecurity; failure to comply with these regulations could result in significant fines and penalties.

How to protect your sports betting business from attack

Because cyberattacks are on the rise and they can be devastating to an online gambling establishment, it’s essential to take the appropriate precautions to protect your business from a breach. That’s true of companies large and small because adversaries don’t discriminate. They know that small and mid-sized companies might lack the budgets and security teams to assemble a strong defense, so those companies are targeted almost as often as the big players.

Here are a few things online sports betting companies, large and small, can do to protect themselves.

• Conduct regular risk assessments: To defend against attackers, you first need to understand how they might get into your system. Start the process of building up your security posture with a risk assessment, then repeat the assessment annually to ensure your environment remains secure. Because DDoS attacks are so frequent in the industry, it’s essential to find and minimize the points of entry for a bad actor and ensure you have firewalls in place to limit the traffic that can reach your applications.

• Buy cyber insurance: Premiums are high, but well worth the expense, especially when you’re operating in a highly targeted industry. Sports betting companies need cyber insurance as it minimizes the costs associated with a breach and curbs your chances of going out of business should a breach occur.

• Assemble a security tech stack: Regardless of size, ALL businesses need to invest in the cybersecurity basics. This includes email protection, endpoint protection, endpoint detection and response, lateral movement protection, and privilege account abuse detection. It’s essential to have these systems in place to monitor traffic, detect intrusions, and protect against cybercriminals planning fraud or money laundering schemes.

• Web application firewalls (WAF): Though firewalls alone won’t keep your business safe, they are absolutely essential for online gambling companies. They set up a defense system on the perimeter of your network and monitor traffic that comes in. A WAF will generally help protect against some of the more common attack vectors.

• Encryption: Because the industry is handling vast sums of money and personal information, all sensitive data needs to be encrypted. This includes both data at rest (data stored within your systems) and in transit (data transmitted between devices or systems). It’s highly recommended that companies use encryption algorithms like Advanced Encryption Standard (AES) and Transport Layer Security (TLS) to protect the data of users placing bets.

• Write an incident response plan: When it comes to a cyberattack on an online gambling site, it’s not a matter of if, but when. That means you need to be prepared before the criminals strike. An incident response plan dictates what needs to be done in the event of a breach and who is responsible for each task. Perhaps the most important step in an incident response plan is to immediately report any fraudulent or potentially criminal behavior to the authorities. Law enforcement can help you stop and mitigate criminal activity, but it also protects you from being accused of allowing fraudulent behavior on your site.

• Regularly patch software: Over time, your software will develop vulnerabilities, this makes it vital to be diligent about updating and patching your systems. Though that task is often on the radar of IT teams, heavy workloads and remote work can make keeping up a challenge. But, if you want your software to continue working, ongoing maintenance is necessary.

• Schedule regular cybersecurity training for employees: Most security breaches are the result of human error, so even the best technology won’t completely protect a business. Cybersecurity training should be hosted on a regular basis and cover common scams. Due to the high volume of criminal activity in the sports betting and gambling industry, it’s also important that your employees understand how to post patterns that indicate fraudulent or criminal behavior is occurring.

All of this may seem like a lot, but it’s easily managed with the right partner. Outsourcing your security efforts to an outside vendor can be the safest and most economical way to protect your business. When looking for a partner, make sure they provide 24/7 monitoring and response services as well as all the necessary tools and technology to secure your organization. 

While it’s rare to find such a partner, SolCyber is up to the challenge. Our Foundational Coverage offers a full security program that ensures small to mid-sized businesses have everything they need and nothing they don’t. We can also get you up and running in days. 

Ready to become cyber resilient? Reach out to SolCyber, the experts in cybersecurity, to see how we can help.

Follow us on these social platforms!

LinkedIn: https://www.linkedin.com/company/solcyber-managed-security-services/

Twitter: https://twitter.com/SolCyberMSS

Facebook: https://www.facebook.com/solcybermssp

Instagram: https://www.instagram.com/solcyber_mssp/