How a new breed of hack compromised 2,500 gambling sites at once

Last year, visitors to a wide range of gambling sites started reporting unusual behavior. Strange text windows would pop up, offering users special access codes for third-party gambling sites. Links would appear with new affiliate tags, an almost unnoticeable difference that could still prove wildly lucrative for whoever got paid for the new referrals. The sites’ visitors were being hacked, but webmasters couldn’t figure out where the new scripts were coming from.

"We very carefully monitored the traffic coming from our servers because we take that sort of situation extremely seriously," says Michael Corfman, executive director of the Gambling Professional Webmasters Association, the organization targeted by the attack. "The monitoring we’d done had never shown any issue, which was quite puzzling."

But the attack wasn’t happening on Corfman’s servers. It was happening on the network itself, using a complex new attack designed to attract as little attention as possible while reaching extremely far. Traffic bound for a gambling association’s homepage was being rerouted to a Romanian dummy site, which was inserting the ads and affiliate codes on the fly.

Now, new details of the attack are surfacing thanks to work by security researchers Gaby Nakibly, Jaime Schcolnik and Yossi Rubin, which will be presented at the Black Hat conference next month. The redirecting site has since been taken down and research indicates GPWA sites haven't been affected for months, but the methods involved still offer a tempting puzzle for researchers. The center of the attack was GPWA.org, the website of the Gaming Professional Webmasters’ Association — but according to Nakibly’s research, the attack wasn’t focused on the website itself. The GPWA also runs a website certification service, loading a certification badge onto 2,476 different affiliated sites — typically gaming portals like PokerListings.com and penny-slot-machines.com. Those badges were loaded directly from GPWA.org, which meant a single interception attack could compromise visitors from all 2,476 sites at once.

According to Corfman, the result was a simple ad injection, with a touch of affiliate fraud. Along with the pop-up text windows, the attackers’ javascript app was also adding an affiliate tag to the end of every product link on the page, entitling them to a small kickback every time they sent a paying customer to a store like Amazon. Affiliate systems are everywhere, and replacing the links in transit is a common scam; punishment is usually more a matter of being kicked off an app store than thrown in jail. Still, Corfman was surprised to see such a sophisticated attack turned to such a simple end, especially given that the attackers could have delivered any payload they wanted. "We were seeing a number of attacks that didn’t seem to make any economic sense to us," Corfman says. "Maybe there was a little bit of affiliate revenue, but not enough to justify all of that."

To load a page, a web browser’s request has to travel through half a dozen different networks, from the local ISP to intermediary backbone carriers before finally reaching the local host network and the server where the website is stored. But somewhere along the way, requests to GPWA.org were being split off, sending a duplicate request to a server controlled by the attackers. In response to a single request, users got back two packets of data: one from GPWA.org and one from a more sinister site located at QPWA.org, registered to a false name in Romania. Both packets came routed through the same networks, and in most cases, the phony QPWA.org packet would arrive first. Faced with two responses to the same request, the browser would drop whichever arrived later — usually the GPWA packet.