Cyberattacks have become one of the most severe threats to online casinos in recent years. According to Worldmetrics, in 2023, 70% of online casinos suffered from cyberattacks, making this industry the third most targeted among cybercriminals.
Of these, 85% of casinos experienced Distributed Denial-of-Service attacks. The average cost of a cybersecurity incident for a casino reaches $5.5m, with total losses from cybercrime estimated at $50bn annually.
With this in mind, Evgeny Zaretskov, Group Chief Information Security Officer at SOFTSWISS, which serves over 1,000 brands worldwide, elaborated on how the company pays special attention to cybersecurity issues.
“We structure our development process to ensure that various security measures and regular audits are conducted at every stage of the product lifecycle,” he comments. “Additionally, our specialists assist operators in maintaining robust cybersecurity practices.”
SOFTSWISS experts believe that the majority of cybersecurity measures are not rocket science. They suggest that even simple tools like CAPTCHA can significantly increase the level of protection against automated attacks.
However, ensuring comprehensive security requires implementing a range of measures that will help reduce risks and protect online casinos from many multimillion-dollar losses.
Deputy CSO Artem Bychkov and Head of Infrastructure Security Pavlo Bairachnyi spoke to CasinoBeats to detail the most common threats faced by online casinos, as well as practical solutions to prevent them.
Fraud: impacting finances directly
According to SOFTSWISS, one of the most specific attacks in the igaming industry is related to the direct theft of casino funds, with 90% of all fraud cases involving bonus abuse, identity theft, and document forgery.
“To manipulate the internal bonus system and illegally credit free spins, attackers use fake registrations, attempting to imitate regular user activity by creating multiple fake accounts,” notes Bychkov.
“Affiliates can also use this method of fake registrations to receive unjustified rewards for attracting ‘virtual’ clients.”
Subsequently, the online casino software solutions provider identified a series of measures designed for companies to protect their projects.
These include creating a clear and transparent bonus system, delaying referral bonuses until the first deposit, implementing software to detect bots, abnormal behaviour and multi-accounting tools and administering tools for real-time risk assessment.
The SOFTSWISS Anti-fraud team recently implemented a risk assessment tool to identify potential issues in real time, taking proactive measures to provide a safer gaming experience. This approach saved operators €6m in the first half of 2024.
Account protection: building the first line of defence
The second type of attack identified by the group involves that of manipulating account credentials. One of the most common threats, SOFTSWISS says, is a brute force attack. This sees attackers attempt to guess passwords to log into user accounts and withdraw money.
“Attackers use emails and passwords from large-scale data leaks. Unfortunately, users often reuse the same credentials across many services, which is precisely what attackers target,“ explains Bairachnyi.
The worst world data breaches of 2024 have already surpassed at least one billion stolen records. Using vast amounts of personal data, attackers use automated methods to find the correct password and email combination to access accounts.
To best safeguard collaborative enterprises, SOFTSWISS identified the following practices:
– Implement rate limits on login attempts.
– Require confirmation via one-time passwords.
– Lock accounts after several unsuccessful login attempts and provide recovery options through secure procedures.
In addition, a further type of attack is Account Enumeration, which is aimed at forming a casino customer base and monetising it in the future.
“In this case, attackers use email databases from the same large-scale breaches,” says Bairachnyi.
“They input credentials into a casino’s login or registration forms and analyse error messages they receive. For example, the errors ‘account does not exist’ and ‘password is incorrect’ show which accounts are registered on this platform and which are not.”
In order to best shield projects, SOFTSWISS suggests that organisations should optimise internal logic to return the same error message for client information requests, and for technical restrictions, use rate limits and CAPTCHA for bulk requests
DDoS attacks: paralysing websites
“A DDoS attack is the simplest and cheapest type,” notes Artem Bychkov. “Attackers may act in the interest of competing casinos or demand a ransom from the website owners to restore its functionality.
“Attackers generate a huge amount of network traffic directed at the casino’s server. As a result, the server’s internet bandwidth or network interface is overloaded, and the server is unable to fully process legitimate traffic.”
A range of solutions have been recognised by SOFTSWISS regarding how to protect their projects. These include:
– Using cloud-based protection solutions like Cloudflare, Imperva, Fastly, etc.
– Hiding the server’s external IP address.
– Changing the server’s external IP address if it has already been exposed online. This can be identified through services like DNS history, Shodan, and Censys.
– Implementing an access control list to allow only legitimate traffic from cloud protection systems.
– Being prepared to quickly switch the server’s IP address in case of an attack.
Sharing his experience, Bairachnyi continued: “You should be cautious with local DDoS protection solutions.
“Unfortunately, the volume of traffic that attackers can generate can be so large that local solutions will not cope, or your internet channel will be overloaded, making your local solution useless.”
A further type of DDoS attack pinpointed concerns targeting applications directly to overwhelm the server with a huge number of requests that simulate regular user traffic.
SOFTSWISS noted that using a Web Application Firewall, preferably cloud-based, with the ability to deploy CAPTCHA, can aid security concerns.
“We strongly recommend that all our clients use CAPTCHA, and our software makes it as easy as ticking a checkbox,” advises Bychkov.
“However, not everyone chooses this option because it adds an extra step for the player, who may not want to go through it.
“Ultimately, each operator must decide which risk is bigger: a possible player leaving because of this step or a potentially devastating cyberattack.”
However, CAPTCHA is only the first step in the fight against application-level DDoS attacks.
“There are several measures that can reduce the attack’s impact: rate limits, optimisation of web service settings, rapid scalability of computing resources, and algorithms to detect and block attacks based on certain patterns,” Bairachnyi concludes.
“In extreme cases, different types of CAPTCHA can be used for all traffic during an attack. However, you should not rely entirely on methods like JavaScript challenges, which help distinguish between legitimate users and bots, as attackers can bypass them.”
Cyber threats will continue to evolve, but with the right approach and protective measures, operators can stay ahead of attackers and secure their platforms.