Digital Bandits

Written by

Share on social media

In September, police announced the arrest of a teenager in connection with the infamous 2023 cyberattacks on Las Vegas Strip operators MGM Resorts International and Caesars Entertainment. The unidentified juvenile joined four others previously indicted in connection with the attacks, which wreaked havoc on MGM’s Strip property operations and threatened to release private information of Caesars’ loyalty club members.

By all accounts, the cyberattack on the Strip’s two central operators—ransomware attacks ultimately resolved by ransom payment to the bandits—was disturbingly simple in origin. Someone allegedly found an MGM Grand employee on LinkedIn and impersonated them, calling the company IT department to ask for a password reset.

Once the reset was granted, the hacker had access to MGM’s internal systems in 10 minutes, according to one report. Guests at MGM Grand suddenly found their room key cards disabled. Reservation desk computers froze, meanwhile, bringing check-in and check-out operations to a grinding halt.

While perhaps the most severe, the Strip attacks are far from isolated. Stories of phishing (emails and texts impersonating executives), vishing (“voice phishing,” using AI to replicate the voice of an official on the phone) and even videos that use AI to simulate the image and voice of an executive, are more and more frequent and have led to losses in the millions.

The Threats

Cybersecurity is no longer an optional extra for casino operations. It is now vital to a secure operation. A few key vendors are fighting back with software solutions, training and advice for operators.

“We see the largest threat to gaming operators today originating from the corporate side,” says Gus Fritschie, senior vice president of information security services for Bulletproof, a subsidiary of Gaming Laboratories International.

“There are regulations in almost every jurisdiction requiring the game platform to be tested, but there are no requirements over operator and supplier corporate networks. For example, some important questions are: How are supply chains being protected? What about malicious insiders? Is it likely that a game development network could be compromised by a malicious actor? These are not hypothetical concerns—they are real risks that must be actively assessed and mitigated through deliberate, layered protections.”

Marzia Turrini, president, iGaming & cybersecurity for BMM Testlabs and BIG Cyber, the dedicated cybersecurity division of BMM Innovation Group, says cyberattacks are increasing. “Right now, the biggest threats are things like ransomware, phishing scams, employee errors or mistakes, and attacks on payment and cloud systems,” Turrini says. “As gaming becomes more digital, attackers have more ways to try to break in.”

“In my opinion and from our customer feedback, phishing, social engineering and credential theft remain among the biggest cyber concerns facing casino operators, because they exploit human behavior,” says Lauren Melcher, senior sector manager, casinos & gaming for Vector Solutions. “These attacks often require only a single employee interaction to succeed, and while technical controls help, there are limited tools that can fully prevent human error. As a result, awareness and training play a critical role in reducing this risk.”

Safeguards, Solutions

Vendors in the specialized field of cybersecurity offer software solutions and tools for every potential threat. The major gaming testing organizations, GLI and BMM Testlabs, have led the way in this discipline. GLI acquired Bulletproof Solutions in 2016 and adapted the new division to offer a full range of cybersecurity products and services.

“Most of our cybersecurity offerings are service-related,” says Fritschie. “That said, we have bundled many of these services into a product offering. Two exciting services that come to mind are GLI’s ransomware security posture assessment and managed vulnerability program.”

GLI’s ransomware security posture assessment helps organizations identify weaknesses and lack of controls that could lead to a ransomware incident. “Our cybersecurity professionals key controls from the NIST cybersecurity framework and then conduct a tabletop exercise,” Fritschie says. “Often, this is very enlightening to the stakeholders as they realize weaknesses for the first time.

“GLI’s managed vulnerability program takes the load off organizations that may have a smaller IT staff by performing the entire vulnerability management program for them, from the scanning to analysis, reporting and prioritization. This allows those organizations to focus on speed to remediation, which is key.”

BMM Testlabs relaunched its company as BMM Innovation Group, or BIG, in 2019, introducing a complete range of services, not the least of which was BIG Cyber, a division dedicated to cybersecurity solutions.

“At BMM Testlabs’ BIG Cyber, we help gaming companies find and fix security problems before hackers do,” says Turrini. “We do this through services like penetration testing, vulnerability assessments and PCI:DSS reviews. These services look closely at iGaming platforms, casino systems, payment systems and cloud environments to see where they might be at risk.

“We also offer 24/7 managed cybersecurity services, so our customers are not alone when something happens. We monitor systems around the clock and respond quickly to any threats. Our goal is simple: protect players, data, revenue and reputation, while helping gaming businesses stay compliant and confident as they grow.”

She adds that BIG Cyber customers can choose from a menu of solutions and services. “We don’t believe in forcing customers into one tool,” Turrini says. “Instead, we work with trusted cybersecurity partners and use the right technology for each situation.”

One key solution is CYREBRO, which provides 24/7 monitoring and response through a global security operations center. “It constantly watches for suspicious activity, investigates alerts and helps stop attacks quickly, often before they turn into major problems,” Turrini explains.

Educate, Train

One of the most critical elements of any cybersecurity program is a means to train and educate employees, executives, regulators and other stakeholders on ways to spot and prevent cyberattacks, and to minimize potential damage to operators from digital scams that can cost millions.

Vector Solutions is a fast-growing firm that offers a library of online training and education courses in various operational disciplines, including the cybersecurity field.

“Vector Solutions provides cybersecurity awareness training that helps reduce human-related cyber risk,” Melcher says. “Our services focus on educating employees to recognize threats, protect sensitive data and respond appropriately, helping prevent attacks before they impact casino operations. We know that a robust training program is often the first step in creating a robust cybersecurity culture in the workplace.”

Vector offers cybersecurity training through what’s known as the Learning Management System (LMS), which includes trackable, scalable training across the workforce, with courses from Browser Security Basics to Cybersecurity Awareness for Employees, Cybersecurity Awareness for Employees, Protection Against Malware and more.

“Our most requested course, Understanding Cybercrime in the Casino Industry, highlights the unique risks to casinos and includes case studies of recent cyberattacks in both tribal and commercial operators,” Melcher says.

“In addition, our LMS offers in-platform course authoring tools to help IT teams quickly and efficiently create and disseminate information about new or trending threats specific to their casinos. IT teams can use dynamic analytics tools to quickly identify risk by reviewing employee completion rates, scores and overall comprehension of the course content to provide role-based or individual training in seconds.”

The two major test labs also offer operators extensive training and education services. GLI has several different cybersecurity training options available through GLI University. GLI cybersecurity experts can also conduct training directly for organizations to train their team members to perform the bulk of the basic assessments.

“While GLI offers a variety of different services including assessment, audit and advisory services, I believe one of the most important ways to increase your cybersecurity posture and protect against attacks is to focus on mindset,” says Fritschie.

“At times it may seem like an impossible task with all the news of breaches and ransomware, but you will have success if you are intentional and focused on taking the correct actions and prioritizing information security. For example, some of our best clients are those that do not view assessments as a ‘checkbox’ exercise but are using them as an opportunity to test their team and tools so that they can increase their cyber resiliency.”

BIG Cyber also offers operators a complete training and education program. “BIG Cyber helps by covering all the bases,” Turrini says. “We find weaknesses early through testing, train employees to avoid common scams, and monitor systems 24/7 so we can act fast if something goes wrong. This 360-degree approach helps protect a company’s reputation, revenue and relationships with regulators, which are often the hardest things to rebuild after an attack. At the same time, we ensure business continuity.”

BIG Cyber also offers KnowBe4, which focuses on teaching employees how to spot scams like phishing emails, and Maxxsure, which gives companies a clear cyber-risk score. That score helps company executives understand where they stand and what they should fix next.

Long View

By all accounts, the cat-and-mouse game between casinos and bad actors stands to intensify in the coming years, with advancing technology feeding both sides of the equation.

“Cyberattacks are going to keep getting smarter and faster, especially as criminals use more automation and AI,” says BIG Cyber’s Turrini. “At the same time, gaming systems will continue to become more connected and more complex.

“Technology can keep up, but only if companies stay ahead of the problem. Cybersecurity can’t be something you check once a year; it has to be ongoing. In the future, the most successful gaming businesses will treat cybersecurity as part of everyday operations, not just an IT issue. That’s the mindset that we at BMM bring to BIG Cyber every day.”

“Cyberattackers will continue to become more sophisticated and personalized, driven by automation and AI,” agrees Vector Solutions’ Melcher. “Casinos will remain attractive targets because they handle large volumes of financial and personal data, operate complex systems with minimal tolerance for downtime, and employ large, diverse workforces that are frequent targets for social engineering attacks.

“It’s critical to partner with a training provider that can keep pace with how cyber threats evolve. Creating a strong cybersecurity culture isn’t a one-and-done exercise. It takes ongoing training, regular refreshers and simple knowledge checks to keep security top of mind. Casino employees truly are the first line of defense, and when they’re supported with the right training, the business, your reputation and your guests are better protected.”

Bulletproof’s Fritschie agrees on the pending effects AI is going to have on the contest between operators and bad actors in the coming years.

“It may be cliché now, but I do think artificial intelligence is going to have the largest impact,” Fritschie says. “I recently read Co-Intelligence by Ethan Mollick. Although it’s a business book focusing on AI, it reads like a survival guide for the future of information security. He had several great points, but one that I am drawn to is ‘Centaurs vs. Cyborgs.’

“Centaurs divide the work—AI parses thousands of logs while humans focus on strategy—while cyborgs integrate the work, with practitioners collaborating with AI in real time to refine tactics and decisions. Organizations whose red teams and auditors master both models will gain a decisive advantage, especially as adversaries are rapidly doing the same.

“Over the next five to 10 years, cybersecurity will become more adaptive and intelligence-driven as attackers increasingly use automation and AI to scale their efforts. Technology can keep up, but only for organizations that combine advanced tools with strong processes and skilled people to stay ahead of evolving scams.”