US online gambling sites hit hard by credential stuffing fraud

Credential Stuffing US Online Gambling
Image: Shutterstock

Fraud issues have been sweeping through multiple US online gambling sites in the past few weeks, raising questions about whether or not the security around account information is sufficient.

DraftKings acknowledged the issue on Twitter yesterday, posting the following statement to its news account:

Fraud scam involves credential stuffing on sportsbook sites

“DraftKings is aware that some customers are experiencing irregular activity with their accounts. We currently believe that the login information of these customers was compromised on other sites and then used to access their DraftKings accounts, where they used the same login information,” the statement read in part. DraftKings’ Paul Liberman also ensured full restitution for the customers affected by around $300,000 of fraudulent transactions.

FanDuel Sportsbook issued a similar statement to customers in an email Monday, advising:

“In light of recent reports of a hack impacting some other sports betting websites, we are reaching out to remind our customers about the importance of good cybersecurity hygiene.”

The basic mechanics of the fraud scheme appears to be “credential stuffing”, where the hackers have bought a database of usernames and passwords, then run those combinations through sports betting and online casino sites to see if they are able to successfully log in. Once in, the scammers changed the bank account information to withdraw funds to the account and changed the phone number and/or email on the account to lock the actual user out.

Poker players’ bank accounts compromised in BetMGM scam as well

The DraftKings statement comes just days after ESPN covered fraud issues poker players were experiencing on BetMGM. Essentially, scammers were creating new accounts for these players. Once they passed the KYC portion of the account setup, they were able to access stored bank account information on Global Payment Solutions’ VIP Preferred program. VIP Preferred users were able to store bank account details once, then access them across several different sites, including

Once the accounts were set up, the scammers would deposit using that stored bank account information, then change the bank account information and withdraw those funds to a different account.

Poker player Phil Galfond posted some of the communication from Global Payment Solutions when he reached out to close his account:

SBC Americas reached out to Global Payment Solutions for comment. The company issued the following statement:

“Our gaming business has been assisting law enforcement with an investigation into fraudulent accounts set up at unaffiliated third parties using stolen personal information. There has been no security breach or fraudulent accounts opened at our gaming business in connection with this investigation. The protection of our customers and their clients’ information and funds is our top priority. We have been working closely with these third parties to ensure all impacted individuals receive refunds.”

2FA an important means of account protection and fraud prevention

MIRACL Co-founder and CEO Rob Griffin spoke with SBC Americas about how this fraud took place and what steps can be done to avoid account breaches in the future. MIRACL is a multi-factor authentication company focused on consumer applications that is pushing for the expansion of that technology across regulated markets.

New Jersey already mandated that online gambling operators need to require two-factor authentication for all accounts. Ontario has similar mandates in place. Other than those markets though, US operators generally leave it to the customers to decide if they want the added layer of protection.

“This story serves as another example of the downfall of optional MFA. With credential stuffing attacks on the rise, it’s absolutely essential that MFA is mandated across the board, and fast. The fact of the matter is, if the victims had enabled MFA, this would not have happened,” Griffin stated.

He is correct that a large amount of the fraud occurred on accounts without two-factor authentication. Moreover, Grififn noted the scammers actually weaponized multi-factor authentication against the victim by enabling it to their own number, locking the customer out of their account. This gave the scammer more time to process financial transactions.

Even text-based 2FA is fallible

However, some accounts with two-factor authentication enabled have noted on social media that their accounts were still compromised. Griffin explained this is possible through a couple of different means. One is that the hacker generated fake text messages to the victim asking them to input a code for something like a bonus, ping the site for the 2FA code, and then the victim inadvertently passed the code along.

Another, more complex form of fraud involves the hacker reaching out to the phone company and reporting that the sim card on the victim’s phone has been compromised, then moving text messages over to a different phone number. While this level of fraud is complicated and more time-consuming than others, Griffin said the end result can often be very lucrative.

Even the relatively simple scam of credential stuffing can offer big returns for the perpetrator. Griffin said 100,000 usernames and passwords of reasonably high quality can go for as little as $1,000 on the dark web. These lists generally have a .5-1% success rate, with $50-$200 to be made off each account. At those rates, that is a $150,000 profit on a very small investment.

How should online gambling sites respond?

With this round of fraud outsmarting some instances of two-factor authentication, what can be done to beef up security while maintaining the ease of use customers want out of their gambling apps? Griffin thinks the answer is in changing what factors are used to authenticate a customer account. For example, instead of a code that can be easily compromised and stolen, one factor can be something like a specific device approved by the customer as the only device (or devices) cleared to access an account.

While the bulk of two-factor remains text message-based though, customers should be careful to change their passwords, not use the same passwords across multiple accounts, and enable two-factor authentication on their accounts.