Play the player

According to Israeli security company Security Joes, the gambling sector has been the victim of a series of cyber attacks that started in September. Since then, the company has tracked the attacks under the codename: “IceBreaker APT.”

made the company reps hack themselves

In poker, there is a time-sanded platitude that one must “play the player, not the cards.” The black hats have taken this approach in this instance, targeting the company’s human wetware instead of using a technology-based approach. To avoid pitting their software against the gaming companies’ digital defenses, the hackers contacted customer service directly and made the company reps hack themselves.

“The threat actor was well aware of the fact that the customer service is human-operated,” Security Joes explained.

How the attacks work

During the attack, the hackers posed as customers and contacted customer service agents at the target iGaming sites. While on the phone or in the live chat, the hacker sent the agents “screenshots” of the problem, either by chat or via Dropbox.

installed a backdoor on the agents’ computers

When the agents opened the download, instead of bringing up an image, the file installed a backdoor on the agents’ computers. The download contains two payloads. The first is an LNK file that installs a piece of software called IceBreaker Backdoor, a totally new piece of malware. The second payload acts as a backup and contains a much older Trojan horse called Houdini RAT.

Once installed, the hackers can steal cookies and login info, take screenshots, install plugins that provide greater access to the system, and copy files from the target’s servers.

Finding the hackers

Security Joes is tracking these black hats using methods that range from reverse engineering Icebreaker Backdoor’s code to analyzing the quirks of the hackers’ English in the customer service chat. For example, previous hackers have been identified as Russian because they used the Russian word “sever” in place of the English “server.”

The codename IceBreaker plays on two breakdowns of the acronym ICE. In the world of cyberpunk fiction, ICE stands for Intruder Countermeasures Electronics—cybersecurity programs that protect servers from hackers. In the gambling industry, ICE is the International Casinos Exhibition, a major industry convention.

The Security Joes team reported the first IceBreaker attacks in the run-up to the 2023 ICE London event which is now underway.

The name might be a light-hearted pun, but the threat is real enough and iGaming companies will need to find a way to raise the stakes if they want to make the IceBreaker hackers throw away their hand.