Botnets playing poker, laundering money

September 4, 2007

Over the past few months, Uriel Maimon, a senior employee at RSA who specializes in technology research of financial fraud, crimeware analysis and cyber-forensics, has witnessed a spike in the use of botnets on gambling sites in order to transfer money from stolen credit cards and other payment mechanisms overseas.1

Here is how the scam typically works: A fraudster steals a batch of credit card numbers and, for each number, opens an account in an online payment processing service for the purpose of gambling. At the same time, the fraudster opens accounts on an online payment-processing service with credit cards with minimal cash balances - either under their name or that of an accomplice. The fraudster then floods an online poker forum with "players" in the form of bots - compromised PCs loaded with poker-playing programs that play poker, but not necessarily well. Another human who is collaborating with the crook then enters the same room as the bots to compete "against" them. The human naturally wins the pot, money changes hands, the collaborator shares the profit with the fraudster, and the supplier of the stolen credit cards gets his share as well.1,2

Historically, botnet owners frequently targeted gambling sites with DDoS extortion attacks, threatening the owners that if they did not pay a ransom, they would have their websites knocked offline. But because this tactic is no longer as profitable as it once was (not to mention risky in exposing the botnet), they are now moving towards new lucrative ventures.3

1. "Cybercrooks use bots to deal winning hand", USA Today, September 4, 2007

2. "Phishing Special Report: What we can expect for 2007", RSA Security Inc., p. 3

3. "DoS extortion is no longer profitable", Symantec, April 26, 2007