Last year, visitors to a wide range of gambling sites started reporting unusual behavior. Strange text windows would pop up, offering users special access codes for third-party gambling sites. Links would appear with new affiliate tags, an almost unnoticeable difference that could still prove wildly lucrative for whoever got paid for the new referrals. The sites’ visitors were being hacked, but webmasters couldn’t figure out where the new scripts were coming from.

"We very carefully monitored the traffic coming from our servers because we take that sort of situation extremely seriously," says Michael Corfman, executive director of the Gambling Professional Webmasters Association, the organization targeted by the attack. "The monitoring we’d done had never shown any issue, which was quite puzzling."

Webmasters couldn’t figure out where the new scripts were coming from

But the attack wasn’t happening on Corfman’s servers. It was happening on the network itself, using a complex new attack designed to attract as little attention as possible while reaching extremely far. Traffic bound for a gambling association’s homepage was being rerouted to a Romanian dummy site, which was inserting the ads and affiliate codes on the fly.

Now, new details of the attack are surfacing thanks to work by security researchers Gaby Nakibly, Jaime Schcolnik and Yossi Rubin, which will be presented at the Black Hat conference next month. The redirecting site has since been taken down and research indicates GPWA sites haven't been affected for months, but the methods involved still offer a tempting puzzle for researchers. The center of the attack was GPWA.org, the website of the Gaming Professional Webmasters’ Association — but according to Nakibly’s research, the attack wasn’t focused on the website itself. The GPWA also runs a website certification service, loading a certification badge onto 2,476 different affiliated sites — typically gaming portals like PokerListings.com and penny-slot-machines.com. Those badges were loaded directly from GPWA.org, which meant a single interception attack could compromise visitors from all 2,476 sites at once.

Ad injection with a touch of affiliate fraud

According to Corfman, the result was a simple ad injection, with a touch of affiliate fraud. Along with the pop-up text windows, the attackers’ javascript app was also adding an affiliate tag to the end of every product link on the page, entitling them to a small kickback every time they sent a paying customer to a store like Amazon. Affiliate systems are everywhere, and replacing the links in transit is a common scam; punishment is usually more a matter of being kicked off an app store than thrown in jail. Still, Corfman was surprised to see such a sophisticated attack turned to such a simple end, especially given that the attackers could have delivered any payload they wanted. "We were seeing a number of attacks that didn’t seem to make any economic sense to us," Corfman says. "Maybe there was a little bit of affiliate revenue, but not enough to justify all of that."

To load a page, a web browser’s request has to travel through half a dozen different networks, from the local ISP to intermediary backbone carriers before finally reaching the local host network and the server where the website is stored. But somewhere along the way, requests to GPWA.org were being split off, sending a duplicate request to a server controlled by the attackers. In response to a single request, users got back two packets of data: one from GPWA.org and one from a more sinister site located at QPWA.org, registered to a false name in Romania. Both packets came routed through the same networks, and in most cases, the phony QPWA.org packet would arrive first. Faced with two responses to the same request, the browser would drop whichever arrived later — usually the GPWA packet.

A new way to spread malware

The result for users was the same as a classic injection attack: having asked for a file from one site, they got a third-party ad instead. But unlike typical injection attacks, which occur at a user’s ISP level, this attack could target anyone who loaded content from the GPWA website — which, because of the remotely loaded badges, covered thousands of websites overall. Looking at server logs would show no sign of the attack. All you would see was a user requesting the file and the file being sent.

That’s a new way to spread malware, something Nakibly describes as an "out-of-band attack." Since those packets can be sent from anywhere in the network, the attack can be far more versatile and harder to detect than a traditional man-in-the-middle attack. In the case of the gambling association — the first and only US-based hack Nakibly detected — that let a single attack go on for months before it was fixed.

"It’s well established now what they were willing to do as an organization."

Nakibly’s research also turned up 10 similar attacks in China, either injecting malware or advertisements. Chinese entrepreneurs have a long history of subverting infrastructure to inject ads — most notably using fake cell towers — although the details of those attacks are less clear. Nakibly also discovered advertising injections in Malaysia, and a case in India involving the content-filtering tool Netsweeper.

In the GPWA case, the compromise seems to have taken place on the local network run by Information Technology Systems, which hosts GPWA.org and runs the infrastructure that connects them to the broader internet. The group only targeted visitors who arrived on the site through a Google search and only attacked each IP address once, making it particularly hard for researchers to replicate the attack.

The biggest mystery is who initiated the attack, but Corfman has some suspicions about who might be capable of such a hack. In June of last year, the owners of the online casino affiliate networks Affactive and RevenueJet were indicted for "cyberattacks against other internet gambling businesses to steal customer information, secretly review executives’ emails and cripple rival businesses," along with hacks of major US banks and charges of stock manipulation. The trial is still ongoing, and the defendants did not respond to a request for comment.

Corfman had encountered the group in a previous affiliate link attack, and now believes they may be connected to both attacks. The cyberattacks alleged in the indictment were taking place during the same months that GPWA was being attacked and targeting the same kind of online businesses. There’s no hard proof of the group’s involvement, but in light of the claims in the indictment, Corfman believes they were one of the few groups that could engineer such an attack.

"It’s well established now what they were willing to do as an organization," Corfman says, "but at the time we didn’t know that."