How Chinese Illegal Gambling Infiltrates European Football

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on news.risky.biz.

How Chinese Illegal Gambling Infiltrates European Football

An eye-opening report describes a cyber crime supply chain with connections to Chinese organized crime, illegal online gambling, money laundering, human trafficking, and even sponsorships with European sports teams.

Infoblox, the security firm that authored the report, said this supply chain was controlled by a single actor it calls Vigorish Viper. The main purpose of the enterprise was to facilitate illegal online gambling for residents of what the report calls “Greater China.” (This term isn’t defined in the report, but from our reading of it we think it includes mainland China, Hong Kong, and Macau, but not Taiwan.)

Infoblox said the supply chain was organized into multiple entities performing different functions to “shield the operators from scrutiny and legal consequences.” In operational security terms, Vigorish Viper compartmentalizes its operations so that the disruption of any single entity (such as a money launderer, hosting provider, or payment service) by law enforcement action does not cripple the entire operation.

Infoblox was “highly confident” Vigorish Viper’s technology suite was developed by a company formerly known as the Yabo Group (aka Yabo Sports or Yabo). According to its reports, the technology itself is sophisticated:

The actor has implemented multiple, layered traffic distribution systems (TDSs) using DNS CNAME records and JavaScript, essentially creating a series of gates to protect their systems from unwanted scrutiny. They extensively profile the users, including continuously monitoring mouse movements and evaluating IP addresses. There are multiple versions of the software, and the most advanced version is reserved for the Chinese brands. Vigorish Viper hosts over 170k domain names and tens of brands in an infrastructure that is directly tied to Hong Kong and China.

Victims of human trafficking are reportedly forced to provide support to Yabo Group betting websites by boosting sites in live chat groups or by encouraging customers to place bets.

A large number of gambling sites run on top of Vigorish Viper’s back-end infrastructure. These are provided by dozens of “baowang” (meaning “full package” or “full bundle”) companies that offer “white label casino services,” target Chinese-speaking players, and claim to be licensed by regulators. The sheer diversity of these sites and the prevalence of copycat sites obfuscates the relationships between entities. These gambling sites are typically accessible only from mainland China, Hong Kong, and Macau, and visitors from elsewhere arrive at a splash page.

Vigorish Viper also sponsors European football teams:

Through a series of shell companies using fake identities and credentials, the Chinese organized crime groups establish brand presence, typically represented by a so-called white label intermediary who provides local representation and bona fides. Players wear the sponsor’s logo on their shirt during games, or the logo is advertised on pitchside boards of the stadium, or both. The games are broadcast in China, often illegally, where viewers are enticed to visit the website and bet on their favorite club.

In April 2023, TGP Europe, Vigorish Viper’s brand in the U.K., was fined by the U.K. gambling commission for “anti-money laundering and social responsibility failures.” Despite this, a number of top English football clubs still had sponsorships with Vigorish Viper brands (as of January), and the group has negotiated new sponsorship deals with French, Spanish, and other European teams.

Although Vigorish Viper also appears to target users outside the People’s Republic of China (PRC) with everyday scams and phishing, this appears to be a small side hustle and worth only a single paragraph in the report.

In its conclusion, Infoblox notes that “in spite of the massive number of domain names, websites, and accompanying applications, along with overt presence in the public eye, Vigorish Viper is operating directly and inexplicably in the PRC without meaningful consequence.” We agree that this is legitimately strange.

How the CSRB Should Probe the CrowdStrike Incident

Given the large-scale impact of the CrowdStrike incident, it is likely that the Cyber Safety Review Board (CSRB) will launch an inquiry. Politicians and cybersecurity experts are already calling for it. We don’t think there is much to be gained from a narrow analysis of what went wrong at CrowdStrike, but there are broader systemic issues that the CSRB could focus on, such as how Microsoft could prevent this issue from happening again.

The incident is well described in our sister publication Risky Business News:

Around 8.5 million Windows systems went down on Friday in one of the worst IT outages in history.
The incident was caused by a faulty configuration update to the CrowdStrike Falcon security software that caused Windows computers to crash with a Blue Screen of Death (BSOD).
Since CrowdStrike Falcon is an enterprise-centric EDR, the incident caused crucial IT systems to go down in all the places you don’t usually want them to go out.
Outages were reported in places like airports, hospitals, banks, energy grids, news organisations, and loads of official government agencies.
Planes were grounded across several countries, 911 emergency systems went down, hospitals cancelled medical procedures, ATMs went offline, stock trading stopped, buses and trains were delayed, ships got stuck in ports, border and customs checks stopped, Windows-based online services went down (eg. ICANN), and there’s even an unconfirmed report that one nuclear facility was affected.

This is not really a cybersecurity incident per se, so much as an information technology failure. However, according to the CSRB charter, any “significant cyber incident” is in scope. These are defined as something that happens on or to computers that harms U.S. national interests including the economy, public confidence, or public health and safety. So, check, check, check.

CrowdStrike has published a preliminary post-incident review, and it appears the immediate cause of the incident was that a bad configuration file was pushed to customers after a safety check failed to detect a problem with it. Apparently they’re not big believers in dynamic testing.

We are doubtful that a CSRB review would add much here. CrowdStrike has committed to publishing a root cause analysis, and it will be highly motivated to make sure this kind of incident doesn’t happen again.

However, the bigger picture could benefit from a CSRB review. On Risky Business News, my colleague Catalin Cimpanu notes:

Stuff like this tends to happen, and quite a lot. As an infosec reporter, I stopped covering these antivirus update blunders after my first or second year because there were so many, and the articles were just repetitive.
Most impact only a small subset of users, typically on a particular platform or hardware specification. They usually have the same devastating impact, causing BSOD errors and crashing systems because of the nature of security software itself, which needs to run inside the operating system kernel so it can tap into everything that happens on a PC.

The system kernel is the core of an operating system and generally has complete control of everything going on. On Windows at least, security and antivirus software operated in the kernel because historically they needed the visibility and access that provided. This is risky, however, as crashes in the kernel are far more likely to take down the entire system.

Apple started removing third-party access to the kernel from the MacOS operating system in 2020. This was better for system reliability, but it was also an opportunity for Apple to extend its control over the operating system at the expense of these third parties. But it all worked out because Apple built an API to replace the functionality that the third parties lost when they were kicked out of the kernel.

It’s already possible to reimplement a lot of endpoint detection and response (EDR) capabilities for Windows outside the kernel, but Microsoft hasn’t gone the extra mile and formalized an API-driven approach as the official and only way to handle endpoint security. So, here we are.

Keep in mind, also, that if Microsoft kicks the CrowdStrikes and SentinelOnes of the world out of the kernel, it will also have to kick out its own Defender EDR software. Competition regulators won’t allow Microsoft to give itself an unfair advantage.

This is the space where a CSRB review could potentially drive some change. If removing security vendors (including Microsoft and its own security products) from the kernel is the right thing to do, the CSRB could chart a path out of the current situation by providing Microsoft and federal regulators with a complementary set of recommendations that would give stakeholders a plan to work toward.

A key thing to understand is that what makes the board’s reviews valuable is that they are an exercise in political power. We are not referring to partisan politics, but the board is able to persuade and convince stakeholders to cooperate with fact finding and subsequently to adopt recommendations. In part, this is due to the composition of the board with its mix of senior federal officials and respected private-sector luminaries.

For example, one excellent CSRB report examined the outstanding success of young hackers in groups like Lapsus$. This review had an impact because it was able to examine the group’s actions holistically across many affected companies and made recommendations addressing systemic issues that were actually actioned. Recommendations that telecommunication companies improve procedures to reduce fraudulent SIM swaps were picked up by the U.S. Federal Communications Commission, for example.

That political power isn’t required to sort out CrowdStrike’s mess. But it could be very useful in tackling the underlying problem of security software having high-risk access to the core of the Windows operating system.

Three Reasons to Be Cheerful This Week:

1. MGM Resorts ransomware arrest: U.K. police have arrested a 17-year-old boy in connection with a cyber crime group that targeted MGM Resorts in America, among others. Although the police themselves weren’t explicit about the boy’s alleged role, their press release quotes MGM Resorts saying it was “proud to have assisted law enforcement in locating and arresting one of the alleged criminals responsible for the cyber attack against MGM Resorts and many others.”
2. The ransomware ecosystem is fragmenting: The Record reports law enforcement operations against large Ransomware-as-a-Service (RaaS) platforms are driving criminals to develop their own ransomware variants or modify leaked tools. It’s good to see evidence these operations are having an impact, but ransomware remains profitable, so disrupting key RaaS platforms hasn’t ended the scourge.
3. WebKit announces Private Browsing 2.0: The organization behind the browser engine WebKit, which is used in Safari and on iOS devices, has announced a range of new enhanced privacy protections. These include protection from link tracking and fingerprinting and blocking of known trackers.

Shorts

FTC Investigates “Surveillance Pricing”

The U.S. Federal Trade Commission (FTC) has started investigating the practice of analyzing information about consumers to provide them with personalized or targeted pricing, what it somewhat pejoratively calls “surveillance pricing.” The FTC says this information could include a consumer’s “location, demographics, credit history, and browsing or shopping history.”

The idea of algorithmic pricing based on widespread data collection is an uncomfortable one. The FTC’s explanatory blog on the inquiry, however, notes that individualized pricing has taken place for thousands of years, citing bargaining in ancient Mesopotamian markets as an example.

At this stage it is not clear exactly what is going on here—hence the investigation—but given that we live in a futuristic data-driven dystopia, we are looking forward to seeing the resulting report. More coverage at The Record.

Vance’s Venmo Revelations

Wired has an analysis of the Venmo connections of J.D. Vance, the vice presidential pick of former president and Republican candidate Donald Trump. The story is a good illustration of how notionally innocuous data (to some people at least) can be mined. Venmo is a U.S. mobile payment service combined with a social network. One of its main uses is to split bills with friends, so new users of Venmo are prompted to the app to access their phone’s contacts. Friends lists and a user’s transactions are public by default, which is just a terrible idea.

Microsoft Pulls Back From the PRC, Just a Little

Rest of World has a wonderful examination of the impact of, and driving forces behind, Microsoft’s decision to reduce its China-based engineering workforce. Microsoft has asked up to 800 engineers working on cloud computing or artificial intelligence to relocate overseas to countries including the U.S., Canada, and Australia. China isn’t a large market for Microsoft, at around 1.5 percent of global revenue, but is a very significant talent pool. The company employs around 9,000 people there, mostly in research and development roles.

Risky Biz Talks

In the latest “Between Two Nerds” discussion, Tom Uren and The Grugq discuss whether the rise of cloud computing has been a boon or a curse for cyber espionage agencies.

From Risky Biz News:

Trickbot dev arrested in Moscow: Russian authorities have allegedly arrested a member of the Trickbot cybercrime gang in Moscow this week. According to a report from Russian news channel Baza, authorities detained a 37-year-old man named Fedor Andreev the morning of July 15 in a house in South Moscow. Andreev was allegedly detained based on an Interpol red notice issued by Germany in May.

He is one of eight individuals identified and charged following Operation Endgame—a Europol operation that took down command and control servers for six of the world’s largest botnets (Bumblebee, IcedID, Pikabot, SmokeLoader, SystemBC, and TrickBot).

[more on Risky Business News]

New Russian ICS malware cuts heat to 600 Ukrainian apartment buildings: In January this year, Russian hackers used a novel piece of industrial control systems malware to cut the heating and hot water to over 600 apartment buildings in the city of Lviv, Ukraine. The incident is believed to have impacted apartment blocks in Lviv’s Sykhiv residential area. More than 100,000 people are believed to have been left without heating for almost two days as one of the city’s heating providers, Lvivteploenergo, restored service.

The attack used a malware strain named FrostyGoop, according to a report released by industrial security firm Dragos this week. Dragos says it learned of the attack from the Ukrainian Security Service in April and was able to track down a sample used in the attack.

[more on Risky Business News]

Chinese APT side-hustle: Mandiant’s Dan Kelly has published a Twitter post about how one member of a Chinese APT hacked dozens of MMORPG gaming companies. Kelly says the individual appears to have been running a secret game cheating service that used his access to the gaming company’s database to increase in-game currency for users—some of whom were Twitch and YouTube streamers.