Online Casino Spam: How Fake Gambling Sites Steal Financial Data

Many of us have come across casino web pages that offer us a chance to win big. An increasing number of these sites are fraudulent scam sites. Online casino/betting scams popularity continues to grow because they represent one of the easiest ways for scammers to steal users’ financial information.

In this blog post, we’ll examine a recent example of an online casino scam site to better understand what it is, how it works and most importantly, why it has become a  common and easy way for attackers to steal victims’ data. This specific campaign attacks consumers in Vietnam, Thailand, Indonesia and Turkey.

What is Online Casino Spam?

Online casino spam represents a lucrative source of income for scammers. Some estimates show that fake online casinos cost victims anywhere from the low- to mid-tens of billions of dollars per year globally.  

Hackers follow patterns established by legitimate gambling sites to fool unsuspecting users.  To access a gambling site, a user needs to create an account and deposit money digitally via credit or debit card, e-wallet or crypto. From there, users can place  bets using that digital currency.  

Attackers create legitimate-looking sites to lure users into investing real money. These sites usually feature fake dashboards that show ‘winnings.’ But, unlike legitimate online casinos, where a user can withdraw winnings at any time,  these scammer sites make withdrawals inactive.  

Essentially, once a victim registers and deposits money into a casino spam site, they’ve already compromised their sensitive financial credentials, potentially opening themselves up to significant financial losses.

Figure 1 below shows an example of a recent casino spam site we encountered. 

Fig. 1 – Luring Page impersonating 23win.com 

Fig. 2 – Luring page impersonating 100win.art
 

Inspecting the URLs, we see “hxxps://eir.uk[.]com/” and “hxxps://muh.uk[.]com/” which are not official betting/casino sites. They leverage a uk[.]com host to deliver the spam content.

Digging into the Scam

If we take a look at a similar URL hxxps://muh.uk[.]com, the content of the site shows information about 23win.com, a legitimate gambling platform.

Upon further inspection, the footer area of the site is not clickable. The attackers leverage the “About Us” section to create a new directory within the website structure with the same “about” name, place and index[.]html or sitemap_index[.]xml, a file full of spam links within it. 

Fig. 3 – Fake footer page 

Here in place of “About,” we have a section “Map Diagram,” which is the only clickable tab. When clicked, it shows these indexed pages: 

Fig. 4 – Search engine crawling 

The “Contact” section shown in Figure 3 shows the brand as ‘Brand 23win.com,’ but the URL resolves to hxxps://muh[.]uk[.]com. The site email and other details operate in a similar manner.  

On checking source code of these websites, we found a Script type=”application/ld+json” common for these types of websites. This JSON script holds most of the information of the site, including email, phone number, address of the author of page along with the location where these sites are mostly active. The JSON format also provides information about what types of currency and payments are accepted.   

Fig. 5 – JSON format showing site details 
 

In Figure 6 below, we see attackers using SEO tactics to potentially display links in search results by using “@type: “BreadcrumbList":

Fig. 6 – Manipulating search engine results
 

This is an example of how hackers manipulate search engine results to improve the discoverability of their fake sites.  

Examining the Registration Process

Let’s look at how the site in Figure 1 operates. When a user registers, the registration URL corresponds to “hxxps://muh.uk[.]com/dangky”. When clicked, ot  redirects to “hxxps://www.pg66st428[.]cyou/Register?f=131212” instead of the legitimate site it promotes (23win.com). 

Fig. 7 -Fake registration page 
 

On the registration page above, users create account credentials and can potentially share other information like their phone number. 

Fig. 8 – Post-registration dashboard and deposit page 
 

The dashboard contains different tabs for playing games and for adding money. Users have several options to deposit funds, including scanning their bank code, a bank transfer or several other methods.

Regardless of which method, we tried, the site displayed a QR code: 

Fig. 9 – Different payment methods and QR code 
 

These payment methods are hosted on sites like “hxxps://pay.24hpay666[.]com” and “ydoj.88pay2025a.com” which appear to be suspicious domains that have low reputations because they are likely to result in either credential theft or financial loss when routed via the previously mentioned payment methods.

While we also analysed “hxxps://www.pg66st428[.]cyou” and its actual site “hxxps://www.pg66 [.]com”. After comparing who is of pg66[.]com and pg66st428[.]cyou, we found pg66[.]com to be old and having all the information but latter one is created just 147 days ago and most of the details are redacted indicating site to be suspicious.

Conclusion:

The X-Labs team has seen a rise in these scam casino and gambling and gaming sites over the last few months. These scams are increasingly popular since they potentially provide hackers with direct access to victims’ banking credentials and funds. Scammers set up legitimate-looking sites that operate in much the same way real gambling sites do. Once a victim registers and deposits money, they usually appear to win several games. But problems occur as soon as victims try to withdraw their winnings. At this point, it’s too late. Victims have unknowingly opened themselves up for potentially significant financial losses.

While analysing many URLs, we found the campaign targets geo-locations such as Vietnam, Thailand, Indonesia and Turkey.  We also observed domain targeting for \w{3}\.uk[.]com, \w{3}\.cn[.]com and \w{3}\.ru[.]com.

Protection Statement:  

Forcepoint customers are protected against this threat at the following stages of attack:

• Lure – URLs are blocked by web analytics.
• Redirect – Blocked re-directional URLs which redirects user to phishing pages.

IOCs

• hxxps://anvon.uk[.]com:443/
• hxxps://timewarp.uk[.]com:443/
• hxxps://kcop.uk[.]com:443/
• hxxps://unitedworld.uk[.]com:443/
• hxxps://unitex.uk[.]com:443/
• hxxps://franchising.uk[.]com:443/
• hxxps://strong[.]jp.net:443/
• hxxps://a0f.uk[.]com:443/
• hxxps://coming.uk[.]com:443/
• hxxps://abouttraveling.uk[.]com:443/
• hxxps://cornice.uk[.]com:443/
• hxxps://rdn.uk[.]com:443/
• hxxps://rdn.uk[.]com:443/
• hxxps://gk88[.]pl:443/
• hxxps://789p[.]vc:443/
• hxxps://worcestershirechildrenfirst.uk[.]com:443/
• hxxps://barto.in[.]net:443
• hxxps://domgazinfo.ru[.]com:443/
• hxxps://www.pg66st428[.]cyou/