'Sharking' attacks target poker sharks' and their funds

F-secure analysts smell a RAT on poker pro's laptop

There is, apparently, pretty good money in professional poker, whether it's done in person or on online. That means there is a pretty good chance that bad guys will be looking to steal as much of it as they can.

[Researchers find vulnerabilities in online poker applications]

And, as a recent story out of Barcelona shows, miscreants are willing to use a combination of modern malware and old-fashioned breaking and entering to achieve their goals.

The unwilling victim in this case is Jens Kyllönen, a 24-year-old poker pro from Finland who reportedly won somewhere in the range of $2.5 million in the past year. He now has an international profile, after his laptop temporarily went missing from the hotel hosting a European Poker Tour event in Barcelona this past September, and he sought help from the Internet security firm F-Secure in Helsinki to investigate whether it had been compromised.

It had. F-Secure senior researcher Daavid Hentunen and director of security response Antti Tikkanen discovered a remote-access Trojan (RAT), "with timestamps coinciding with the time when the laptop had gone missing," the two wrote in a blog post.

"Apparently, the attacker installed the Trojan from a USB memory stick and configured it to automatically start at every reboot." A RAT, they wrote, "is a common tool that allows an attacker to control and monitor a laptop remotely, viewing anything that happens on the machine."

Kyllönen is not the only victim. In an email interview, Hentunen said he and Tikkanen, "investigated six laptops pro bono to help out the potential victims." And they wrote in their post that the attack is now common enough that they thought it ought to have its own name: sharking.

The idea, Hentunen said, was based on attackers hunting "sharks" i.e. pro poker players. He said he was not aware that the more common "urban" definition of sharking is sneaking up behind a woman and pulling down her top or her pants while somebody else shoots a video of it.

"We didn't know about it beforehand, (and) we decided it didn't matter," he said. "Sharking still seemed to be the best word describing the crime in poker slang, so we decided to stick with it."

[JPMorgan to notify 500,000 due to data breach, but will not offer replacement cards]

Kyllönen did not respond to a request for comment — on Twitter he had posted that he would not be doing interviews. But in several lengthy posts on the poker forum Two Plus Two, he complained about a lack of security at the hotel and an investigation that was sketchy at best. He cited the failure of PokerStars, the sponsor of the tournament, to be more aggressive, both with the hotel staff and in taking the word of the hotel staff that they had contacted police, when they hadn't.

The responses to those posts were mostly sympathetic to Kyllönen, but one, going by the name "BustoPro" urged him to move on. He said he had been robbed of $5,000 once, but realized, "police involvement would have gotten me nowhere ... I didn't take the necessary precautions and a predator took advantage. Such is life." Others told him it was silly for him to expect the local police to expend time and resources on it, since ultimately, he hadn't been robbed of anything.

Indeed, Kyllönen was fortunate in that respect — he discovered his laptop had been taken, and then returned. If he hadn't, Hentunen and Tikkanen said the attackers likely could have stolen significant amounts of money from him, since the RAT would have allowed them to see his cards in any online game. They found the same RAT on the computer of Kyllönen's hotel roommate at the tournament.

"This kind of attack is very generic and works against any online poker site that we know of. The Trojan is written in Java and uses obfuscation, but isn't all that complicated. Since it's in Java, the malware can run in any platform (Mac OS, Windows, Linux)," they wrote.

While there is reportedly an investigation ongoing, there are no identified suspects, and Hentunen said he knew of no group that is suspected, or what country the attackers might be from.

[Study finds zero-day vulnerabilities abound in popular software]

There was some speculation that it could have involved what has become known as an "Evil Maid" attack – a term coined in 2009 by Joanne Rutkowska, founder and CEO of Invisible Things Lab – which involves an attacker loading malware onto a laptop via a USB stick that sniffs out the encryption software's password and PIN, and reports it back to the attacker.

Hentunen and Tikkanen even included a link to a post on Evil Maid attacks in their blog post, but Hentunen said the laptops he investigated didn't have encryption enabled.

Security expert Kevin McAleavey, a cofounder of the KNOS Project, said he doubted the attack involved hotel staff. "Keycards for doors are easily hacked," he said,

"You'll note in the story that the victim tried his keycard and it didn't work, which means that the code for the door had gotten changed. So I doubt the hotel staff was involved in any way, I think the victim was being surveyed and they just waited for the opportunity, knowing he'd be away long enough."

Hentunen said if Kyllönen hadn't retuned to his room and found his laptop missing, he likely never would have known it was compromised. "At minimum you would need to have a certain amount of expertise in computer security to check for signs of unknown malware," he said.

So, the advice for those who spend a lot of time in hotel rooms is to take extra precautions. Hentunen and Tikkanen recommend, for any computer that is used to move large amounts of money, locking the keyboard every time the owner is not with it.

"Put it in a safe when you're not around it, and encrypt the disk to prevent off-line access. Don't surf the web with it (use another laptop/device for that, they're relatively cheap)," they wrote.

Security guru Bruce Schneier, in a blog post on the Evil Maid attack, said the best defenses include, "two-factor authentication: a token you don't leave in your hotel room for the maid to find and use. The maid could still corrupt the machine, but it's more work than just storing the password for later use." The second is trusted boot.

[Gambling software developer moves to fix poker game flaws]

If there is any indication of tampering on a laptop, Hentunen said the user should, "stop doing anything with the machine and contact the police. For services that have been accessed from the infected machine, change passwords for those with some other machine.

"If you can, make sure the network connection is disabled and leave the computer running," he said. "Another option is to hibernate the computer to keep the memory intact to make forensics easier. If you don't know how to do either of these, just shut down the computer."

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.