The real-money online poker community, already a long-standing subject of scrutiny from governments and regulators, recently became the target of an international malware campaign involving the theft of sensitive personal data from players’ computers. The threat originates with i2Ninja, a Trojan from Russia that communicates with a botnet and utilizes several interesting features, including an anonymous cryptographic network and secure help desk interface.
This malware makes use of I2P, or the Invisible Internet Project, a Darknet initiative designed to create an Internet-within-the-Internet in which software applications can communicate with each other pseudonymously. I2P has connections with the cryptocurrency movement and is similar to TOR, the anonymous network that recently became a staging ground for several large-scale attacks. Like TOR, I2P is a privacy tool that, placed in the wrong hands, can become a powerful asset for cybercriminals trying to evade detection.
The threat from i2Ninja comes at time when the broader online gambling community has been adjusting to new regulations and trying to facilitate a secure environment for legitimate players. Still, poker professionals may need to take the initiative on some security matters.
In addition to best practices such as keeping antivirus and security software up-to-date, poker players must also be increasingly attentive to the physical security of laptops. Using a dedicated poker laptop, one containing no other applications with sensitive data, is another way to mitigate risk.
Moreover, the complex issues with online gambling – the high monetary stakes, the possible connection to money laundering operations – merit increased attention from cybersecurity professionals. While Internet poker has the potential to revitalize some businesses and state economies in the U.S., it must be handled with care.
I2Ninja utilizes anonymous cryptographic network, secure help desk to increase efficacy
I2Ninja features several modules for stealing data, and each one is designed for a different task. In the case of online poker, the relevant tool is fittingly called PokerGrabber, which is capable of stealing locally stored usernames and passwords for a wide array of popular gambling sites such as Full Tilt Poker and 88Poker. For context, it is related to MailGrabber, an i2Ninja module that exploits email clients.
PokerGrabber and other i2Ninja modules are spread via common channels such as spam email and drive-by downloads on compromised domains. Like other financial malware, i2Ninja variants are capable of HTML injection, HTTPS/HTTP injection and can grab data from FTP and forms in any major Web browser. I2Ninja may also be updated to include a virtual network connection module for remotely accessing and controlling PCs.
Once infected, machines become nodes within i2Ninja’s botnet. While typical on the surface, i2Ninja features some unusual capabilities under the hood for protecting its botnet communications, most notably a secure peer-to-peer platform via I2P that provides optimized support for hidden services.
The official I2P sites explained that the project, which is still in beta, offers a number of advantages over the more prominent TOR network. For example, I2P does not feature a centralized view of network activity like TOR and its hidden services are generally faster. I2P also supports HTTP proxies for anonymous browsing, meaning that perpetrators can access the Internet from compromised computers, shield their identities and securely share data with command-and-control servers.
“Using the I2P network, i2Ninja can maintain secure communications between the infected devices and command-and-control server,” stated security researcher Etay Maor. “Everything from delivering configuration updates to receiving stolen data and sending commands is done via the encrypted I2P channels. The i2Ninja malware also offers buyers a proxy for anonymous Internet browsing, promising complete online anonymity.”
The secure P2P channels enable I2Ninja buyers to communicate with the I2Ninja support team at any time. Some malware, such as NeoSploit and Citadel, have featured a support interface, but the sophistication of I2Ninja’s services make it a trailblazer. Its example may provide inspiration for other financial Trojans, which accounted for more than 200,000 infections in the third quarter of 2013, according to Trend Micro’s research.
A closer look at online gambling security in New Jersey
Although I2Ninja casts a wide net, its inclusion of a poker-specific module is a telling commentary on the state of online gambling security. Until recently, many online poker sites were prohibited from operating in the U.S., as the result of the federal government’s crackdown in the summer of 2011. Many states such as New Jersey are now experimenting with fledgling online poker and gambling initiatives, and implementing the right security software has been at the forefront of these efforts.
In August, New Jersey’s Division of Gaming Enforcement updates its proposal for online gambling regulations with extra security measures. Under the new guidelines, users would have to re-enter their information at 15-minute intervals and would have their accounts disabled after three failed password attempts. The updated policy also provides the option to use strong authentication via security questions.
After New Jersey green-lighted Internet gambling with the support of Atlantic City casinos, many users experienced some system glitches. Security software designed to determine whether a user was in New Jersey occasionally malfunctioned, and payment card data was sometimes rejected.
Still, the new measures are likely a good idea in light of the security issues that have plagued online gambling. Electronic wallet Skrill, a popular tool among poker professionals, may have experienced an accounts breach over the summer, and poker services such as PokerStars have implemented SMS validation systems to verify user identities.
Protecting data with a blend of software solutions and physical security
Despite the new measures enforced by states and poker services, players still need to be careful when online. Security software and system patches should be promptly installed and updated, and using dedicated laptops may also help.
While threats like I2Ninja are intimidating from afar, users can lower their exposure by following these practices and routinely checking for unusual activity in their banking or poker accounts. On top of these measures, physical security is still important, as demonstrated by recent laptop thefts at the European Poker Tour Barcelona tournament.
For many individuals, poker is a valuable source of income in addition to a pastime. Businesses and local economies may also benefit from a secure, functioning online poker community, but players and security professionals must work together to ensure that everyone is protected from vulnerabilities.