Fraudulent gambling network may actually be something more nefarious

A sprawling infrastructure that has been bilking unsuspecting people through fraudulent gambling websites for 14 years is likely a dual operation run by a nation-state-sponsored group that is targeting government and private-industry organizations in the US and Europe, researchers said Wednesday.

Researchers have previously tracked smaller pieces of the enormous infrastructure. Last month, security firm Sucuri reported that the operation seeks out and compromises poorly configured websites running the WordPress CMS. Imperva in January said the attackers also scan for and exploit web apps built with the PHP programming language that have existing webshells or vulnerabilities. Once the weaknesses are exploited, the attackers install a GSocket, a backdoor that the attackers use to compromise servers and host gambling web content on them.

All of the gambling sites target Indonesian-speaking visitors. Because Indonesian law prohibits gambling, many people in that country are drawn to illicit services. Most of the 236,433 attacker-owned domains hosting the gambling sites are hosted on Cloudflare. Most of the 1,481 hijacked subdomains were hosted on Amazon Web Services, Azure, and GitHub.

No “quickhit” gambling scam here

On Wednesday, researchers from security firm Malanta said those details are only the most visible signs of a malicious network that’s actually much bigger and more complex than previously known. Far from being solely a financially motivated operation, the firm said, the network likely serves nation-state hackers targeting a wide range of organizations, including those in manufacturing, transport, healthcare, government, and education.

The basis for the speculation is the tremendous amount of time and resources that have gone into creating and maintaining the infrastructure over 14 years. The resources include 328,000 separate domains, which comprise 236,000 addresses that the attackers bought and 90,000 that they commandeered by compromising legitimate websites. It’s also made up of nearly 1,500 hijacked subdomains from legitimate organizations. Malanta estimates that such infrastructure costs anywhere from $725,000 to $17 million per year to fund.