Last week, we observed the Donbot botnet changed its spam campaign to one promoting online casinos. The barrage of of Fake AV we saw coming out of Donbot suddenly stopped and within 15 minutes we started receiving this new campaign.
The theme of the campaign is not entirely new, as it is one we have seen for over a year on and off in our spam traps. It is designed to encourage the reader to gamble money on roulette with what is presented as a ‘winning strategy’. Conveniently, a link to an online casino is provided to the user in order to use this strategy and make ‘easy money’.
Following the link above leads to a splash page where clicking any button on the page (including the language flags at the top) starts a download of Casino-Online.exe.
The WHOIS information for the casino domain lists it as having been registered at namecheap.com on the 24th of May 2011. So, If there was any doubt to the possible legitimacy of this casino, here’s the proof that it is in fact an illegitimate operation. The domains that lead to the casino software are changing regularly and being spammed out fresh.
Upon downloading the Casino-Online.exe binary and scanning it through VirusTotal.com, 4 of 42 antivirus packages detected it, with the following results: “RealTimeGaming, CasOnline, Artemis!B7E6F50C181D, and W32/Malware.SWHU”.
When we ran the Casino-Online.exe in our environment and set up an account, no unusual traffic was seen going out. While it may not be malware in the traditional sense, it’s certainly operating in a highly dubious fashion. We normally advise against clicking links in spam messages, so downloading and executing arbitrary executable files is a definite no-no.
The information gathered during the account creation process is quite thorough as shown below, which is also concerning given what data could be collected and used for future spam campaigns, or sold:
For those that may find the gambling strategy outlined in the spam message appealing, it must be considered that this is advertising for a dubious casino, so there must be something which keeps the favor of odds with the house. Because this is an online casino, it is very difficult to verify the validity of the algorithms and processing and how ‘random’ the results of their games actually are. Given that they are happy with illegal advertising through spam messages, it’s easy to imagine them taking other shady liberties with their practices.
As an aside to this blog, the strategy outlined in the email piqued our gambling curiosity, so we wrote a little python script to demonstrate the effectiveness of the strategy. This script can be viewed and executed in an online python interpreter here: http://www.ideone.com/xEEcU
Assuming the casino isn’t rigged, the odds are still stacked in favor of the house. Despite their description of the strategy, the odds for Red/Black in roulette are not actually 50/50, instead being 48.6/48.6/2.8 – the 2.8% being for the 0 that is also on the wheel. This means, regardless of a bet on red or black, you have a 51.4% chance of losing the bet. While this may seem reasonable odds, it gives the casino enough of a winning margin that given enough time, they will eventually come out on top. Using the strategy outlined in the spam message of multiplying a bet 2.5x after every loss, it would take only 10 losses in a row for you to have lost $6000, and 13 losses in a row for you to have lost just shy of $100,000. Without an unlimited bankroll you will surely come to grief at some point.
M86 MailMarshal customers were protected against this campaign from the moment it began.
Leave a reply
