I was in Las Vegas when this happened, though we had no idea that day that this is what was happening. My wife and I went to get tickets to the Titanic exhibit at the Luxor and they said "our computers systems are down, we can only take cash". I had cash, and they sold us the tickets for extremely cheap.
Long story short, I've always felt like I stole from the casino that day too! :-)
I was on call when that happened. Absolute nightmare for a few weeks and most of the team didn´t sleep for days. I hold no grudge but the business thinks differently for sure. Cheers to those guys because the way they got access and made it through was very clever after the social engineering part.
It’s cool to hear from someone who was on the front lines. I want to ask vague questions like “what was everyone’s initial reaction like?” or “how urgent was the call when you got it?” but mostly I’d just like to hear more of whatever you’d like to talk about.
It's like being behind a McDonald fry station when suddenly thousand people show up for lunch. So sort of like a Prank video.
Now the real question is why do prank videos mesmerize people?
The chimp troupes handles randomness and unpredictability, with the 3 inch chimp brain whose hardware hasn't been updated in 100K years, only one way - tell stories. It's our randomness handling hack.
> In 2023, hackers used vishing (voice phishing) to impersonate employees and gain access to the internal systems of MGM Resorts International and Caesars Entertainment on the Las Vegas Strip, causing hundreds of millions of dollars in financial losses.
First time I’ve heard the term “vishing” to describe the attack we’ve all seen coming.
That's not my understanding, or wikipedia's [1] understanding, of the term. Phishing is the general category of tricking people into telling you things they shouldn't. Email phishing, voice phishing (vishing), sms phising, and so on are subcategories.
Etymologically "phreak" and "fishing" both have nothing to do with email, "phreak" is "phone freak" and I believe it originally described messing with the tones that controlled the telephone system...
That’s my exact point. Just because you repeatedly see it used a certain way by non-practitioners to generalize for simplified communication doesn’t mean it’s the correct usage, and leads to the exact confusion I’m attempting to clarify for you.
Phishing is by default email. It’s varying mediums are subcategories.
Bottom paragraph of first section of the very same Wikipedia article.
“Phishing techniques and vectors include email spam, vishing (voice phishing), targeted phishing (spear phishing, whaling), smishing (SMS), quishing (QR code), cross-site scripting, and MiTM 2FA attacks.”
MGM reportedly refused to pay a ransom, resulting in an estimated $100 million in losses and roughly 10 days of system outages affecting reservations, slot machines, room keys and websites. Caesars, in contrast, was reported by the Wall street Journal to have paid $15 million of a $30 million ransom demand and experienced less operational disruption.
It should be illegal to pay a ransom to cyber criminals, every time it happens you’re increasing the incentives for these activities and you’re making it more likely to happen again in the future. If it’s illegal, these groups would feel less attracted to attack companies, because they know they wouldn’t be compensated for it.
Seems obvious to me too, but then again, if we went with coordinating for the obvious common good there wouldn't be a casino industry to extort in the first place.
You're right that the biggies wouldn't really have that option. I'm sure they're not the only ones that get hit by such attacks, though. Smaller and non-public companies would have to think about it.
I'm not even arguing for a specific policy, but I didn't like how the framing of the post was about being "stupid" enough to break the proposed law. It wouldn't be that simple.
Because they protect against the user.
Computer security has evolved: we must milk the user of its data and make sure he doen't interfere with the milking process.
What always interests me in these type of cases is how do hackers get identified? Aren't they savvy enough to use some sort of proxies to cover their tracks?
Hack a wifi, connect longer-range radio IoT module, link it to your base, attach it to a firework rocket, hide it inabush near the target wifi, hack, ???, ignite.
Access to this page is disabled
The law prohibits participation in games of chance organized by unauthorized persons through means of electronic communication.
The authorized organizers of games of chance via means of electronic communication are the State Lottery of Serbia and persons authorized by the Ministry of Finance.
You don't need to break TLS to do IP and domain blocking and redirection.
That said, I'd assume governments have access to root certificates, anyway, but they're only broken out for big investigations or secret dragnet stuff we'll find out about in five decades, if ever.
You certainly can, but you should get a big screaming "this site's certificate is not valid for dodgy-casino.games" warning.
If not, then maybe your browser vendor has been pressured to add some root certificate controlled by the Serbian police, which it approves to issue certificates to impersonate dodgy-casino.games.
This is a DNS hijack, not an HTTPS hijack. The ISP's resolver sees "casino.org" in the A/AAAA query, finds it in a blocklist, and responds with an IP address to a web server that serves a block page (or a CNAME thereto).
The HN link is to https:// ... a web browser cannot request the page, and cannot process a redirect unless the server responds with an acceptable certificate. If the server responds with an unacceptable certificate, the browser may ask the user to accept it, in which case the browser could connect and issue the request and receive the block or a redirect.
If the user doesn't click through the certificate error, the user will only know it's blocked (or the server is misconfigured), they won't get information on why it's blocked; perhaps details of the certificate might help narrow down the cause of the block or the agency implementing it.
If the user loads the https page and sees "Access to this page is disabled The law prohibits participation in games of chance organized by unauthorized persons through means of electronic communication." as suggested earlier in this thread, and the user did not click through a certificate error, then the MITM must have obtained an acceptable certificate somehow or broken TLS. Since Sep 2024, multi-perspective issuance corroboration has been required by the CA/Browser Forum [1] and it was a best practice for many years, DNS takeover in a single country should be not sufficient to establish domain control for certificate issuance.
How can it be a planned conspiracy if only one person was involved? US law is so weird when it comes to bogus charges just to blow up the case artificially.
Is the offender a person with multiple identity disorder or what's the reasoning here?
I know of a guy who got nailed with "armed robbery" because he stole a gun from the glove compartment of an unoccupied car that he had broken into. All a prosecutor wants to do is screw somebody as hard as possible and win the case.
Seems appropriate to me. Person was holding a gun while doing a robbery which greatly amplifies the danger inherent in the crime they were doing.
On the flip side, I knew someone who interrupted a car burglary and was murdered by the burglar. Imagine what might happen if someone came upon the guy you know of who was doing a robbery while holding a stolen gun?
The person you knew made a lot of choices that led to this, any of which had they not chosen to do would have led to not being an armed robber: don't do a robbery, don't steal a gun, don't do a robbery while holding a gun.
IANAL, but my understanding is that breaking into an unoccupied car isn't robbery (but it might be theft and/or criminal damage). Wouldn't being convicted of armed robbery without committing a robbery be a serious injustice?
He stole the gun, so it was robbery. I feel like an armed robbery is one where you bring a weapon, which makes the robbery more dangerous. This guy was looking for cash and found a gun, so "armed robbery." The comment above claiming that the charge is justified does make sense, but I disagree with it. I'm also not a lawyer.
What I mean is that if no victim was present there couldn't have been the violence or threat of violence necessary to turn the theft/larceny into robbery:[0]
> Robbery, in turn, was simply a "compound" form of larceny. For Blackstone, "compound larciny is such as has all the properties of former, but is accompanied with one of, or both, the aggravations of a taking from one's house or person," id. at *240, and "[l]arciny from the person is either privately stealing; or by open and violent assault, which is usually called robbery,"
I'm not really making a judgement about the rights and wrongs of the actual case (because I'm not only not a lawyer, but also not a witness, juror, etc.), but as described it doesn't sound like robbery at all.
> Cybersecurity experts have attributed the attacks to a loosely organized hacker group known as Scattered Spider, which also operates under aliases such as Octo Tempest, UNC3944 and 0ktapus3.
I was in Las Vegas when this happened, though we had no idea that day that this is what was happening. My wife and I went to get tickets to the Titanic exhibit at the Luxor and they said "our computers systems are down, we can only take cash". I had cash, and they sold us the tickets for extremely cheap.
Long story short, I've always felt like I stole from the casino that day too! :-)
Cyberpunk robin hood
[dead]
[dead]
I was on call when that happened. Absolute nightmare for a few weeks and most of the team didn´t sleep for days. I hold no grudge but the business thinks differently for sure. Cheers to those guys because the way they got access and made it through was very clever after the social engineering part.
It’s cool to hear from someone who was on the front lines. I want to ask vague questions like “what was everyone’s initial reaction like?” or “how urgent was the call when you got it?” but mostly I’d just like to hear more of whatever you’d like to talk about.
It's like being behind a McDonald fry station when suddenly thousand people show up for lunch. So sort of like a Prank video.
Now the real question is why do prank videos mesmerize people?
The chimp troupes handles randomness and unpredictability, with the 3 inch chimp brain whose hardware hasn't been updated in 100K years, only one way - tell stories. It's our randomness handling hack.
The stories breakdown all the time.
> In 2023, hackers used vishing (voice phishing) to impersonate employees and gain access to the internal systems of MGM Resorts International and Caesars Entertainment on the Las Vegas Strip, causing hundreds of millions of dollars in financial losses.
First time I’ve heard the term “vishing” to describe the attack we’ve all seen coming.
Phishing (Email), Smishing (SMS/Text Messages), and Vishing (Voice) are all standard industry terms, though obviously phishing is most well known.
Then there's even subcategories that further define some of these, like Spear Phishing, Whaling.
The industry loves its fun naming.
"Phishing" isn't limited to email
That’s lucky. Putting ‘ishing’ on the end of something email related doesn’t work very well.
[flagged]
That's not my understanding, or wikipedia's [1] understanding, of the term. Phishing is the general category of tricking people into telling you things they shouldn't. Email phishing, voice phishing (vishing), sms phising, and so on are subcategories.
[1] https://en.wikipedia.org/wiki/Phishing
Etymologically "phreak" and "fishing" both have nothing to do with email, "phreak" is "phone freak" and I believe it originally described messing with the tones that controlled the telephone system...
That’s my exact point. Just because you repeatedly see it used a certain way by non-practitioners to generalize for simplified communication doesn’t mean it’s the correct usage, and leads to the exact confusion I’m attempting to clarify for you.
Phishing is by default email. It’s varying mediums are subcategories.
Bottom paragraph of first section of the very same Wikipedia article.
“Phishing techniques and vectors include email spam, vishing (voice phishing), targeted phishing (spear phishing, whaling), smishing (SMS), quishing (QR code), cross-site scripting, and MiTM 2FA attacks.”
Phishing is not by default email
Never heard of vishing. I’m in the industry.
Wrong industry. It is primarily the "sell anti-phishing training to enterprise employees" industry that uses these terms.
I was worked in an anti Phishing / brand protection firm back in 2012 and we had Vishing and Smishing terminology baked in the to projects back then.
Why is it not emishing with email?
> Smishing
uh that's something completely different (and not Monty Python)
social engineering is as old as hacking itself
That was Mitnick’s specialty, and he was hacking before the Web.
The Art of Deception was one of my favorite books when it came out.
In my day we used to call it "social engineering".
“human hacking”
If a hastily organized band of teenagers can pull this off, you have to wonder what APTs are capable of.
Reinvested (into more crime)
It should be illegal to pay a ransom to cyber criminals, every time it happens you’re increasing the incentives for these activities and you’re making it more likely to happen again in the future. If it’s illegal, these groups would feel less attracted to attack companies, because they know they wouldn’t be compensated for it.
Seems obvious to me too, but then again, if we went with coordinating for the obvious common good there wouldn't be a casino industry to extort in the first place.
But what if cyber criminals planted a bomb and are demanding a ransom, and Jack Bauer can't defuse it in time?
What's the end result? Prosecuting the victim of a cybercrime for paying a ransom?
The end result is less cybercrime and thus less victims.
The way you get there is prosecuting the victims of cybercrime for paying a ransom, if any are stupid enough to break the law.
Alternatively, reporting of cyber crime craters or is massively delayed.
Right, because it's so easy to hide an outage of that scale.
You're right that the biggies wouldn't really have that option. I'm sure they're not the only ones that get hit by such attacks, though. Smaller and non-public companies would have to think about it.
I'm not even arguing for a specific policy, but I didn't like how the framing of the post was about being "stupid" enough to break the proposed law. It wouldn't be that simple.
How come their IT systems are so bad that a kid in secondary school (thus with no experience) “hacked” into them?
Because they protect against the user. Computer security has evolved: we must milk the user of its data and make sure he doen't interfere with the milking process.
Likely linked to other recent arrests in the UK: https://www.theregister.com/2025/09/19/scattered_spider_teen...
What always interests me in these type of cases is how do hackers get identified? Aren't they savvy enough to use some sort of proxies to cover their tracks?
It only takes 1 mistaken connection for it all to fall apart.
It only takes 1 mistaken connection for the parallel construction hammer to drop
Subpoenas and cooperating third parties can de-obfuscate proxy chains.
Hack a wifi, connect longer-range radio IoT module, link it to your base, attach it to a firework rocket, hide it inabush near the target wifi, hack, ???, ignite.
No.
How you know https is compromised...
Access to this page is disabled The law prohibits participation in games of chance organized by unauthorized persons through means of electronic communication.
The authorized organizers of games of chance via means of electronic communication are the State Lottery of Serbia and persons authorized by the Ministry of Finance.
You don't need to break TLS to do IP and domain blocking and redirection.
That said, I'd assume governments have access to root certificates, anyway, but they're only broken out for big investigations or secret dragnet stuff we'll find out about in five decades, if ever.
You don't need to break TLS to do IP/domain blocking, but you can't redirect an https page unless you have an acceptable certificate.
> but they're only broken out for big investigations or secret dragnet stuff we'll find out about in five decades, if ever.
Certificate Transparency, where required, makes certificates unusable if they're not published... But that might not be enough information.
You certainly can, but you should get a big screaming "this site's certificate is not valid for dodgy-casino.games" warning.
If not, then maybe your browser vendor has been pressured to add some root certificate controlled by the Serbian police, which it approves to issue certificates to impersonate dodgy-casino.games.
This is a DNS hijack, not an HTTPS hijack. The ISP's resolver sees "casino.org" in the A/AAAA query, finds it in a blocklist, and responds with an IP address to a web server that serves a block page (or a CNAME thereto).
The HN link is to https:// ... a web browser cannot request the page, and cannot process a redirect unless the server responds with an acceptable certificate. If the server responds with an unacceptable certificate, the browser may ask the user to accept it, in which case the browser could connect and issue the request and receive the block or a redirect.
If the user doesn't click through the certificate error, the user will only know it's blocked (or the server is misconfigured), they won't get information on why it's blocked; perhaps details of the certificate might help narrow down the cause of the block or the agency implementing it.
If the user loads the https page and sees "Access to this page is disabled The law prohibits participation in games of chance organized by unauthorized persons through means of electronic communication." as suggested earlier in this thread, and the user did not click through a certificate error, then the MITM must have obtained an acceptable certificate somehow or broken TLS. Since Sep 2024, multi-perspective issuance corroboration has been required by the CA/Browser Forum [1] and it was a best practice for many years, DNS takeover in a single country should be not sufficient to establish domain control for certificate issuance.
[1] https://cabforum.org/2024/08/05/ballot-sc067v3-require-domai...
> The HN link is to https:// ...
Ah right, obviously the browser would still try to connect via TLS to the new IP. Not sure why I missed that.
Which is useless if the domain had HSTS enabled, which they should.
HSTS for a domain is trust-on-first-use unless the domain is in the browser's preload list.
> One count of conspiracy to commit extortion
How can it be a planned conspiracy if only one person was involved? US law is so weird when it comes to bogus charges just to blow up the case artificially.
Is the offender a person with multiple identity disorder or what's the reasoning here?
I know of a guy who got nailed with "armed robbery" because he stole a gun from the glove compartment of an unoccupied car that he had broken into. All a prosecutor wants to do is screw somebody as hard as possible and win the case.
Seems appropriate to me. Person was holding a gun while doing a robbery which greatly amplifies the danger inherent in the crime they were doing.
On the flip side, I knew someone who interrupted a car burglary and was murdered by the burglar. Imagine what might happen if someone came upon the guy you know of who was doing a robbery while holding a stolen gun?
The person you knew made a lot of choices that led to this, any of which had they not chosen to do would have led to not being an armed robber: don't do a robbery, don't steal a gun, don't do a robbery while holding a gun.
IANAL, but my understanding is that breaking into an unoccupied car isn't robbery (but it might be theft and/or criminal damage). Wouldn't being convicted of armed robbery without committing a robbery be a serious injustice?
He stole the gun, so it was robbery. I feel like an armed robbery is one where you bring a weapon, which makes the robbery more dangerous. This guy was looking for cash and found a gun, so "armed robbery." The comment above claiming that the charge is justified does make sense, but I disagree with it. I'm also not a lawyer.
What I mean is that if no victim was present there couldn't have been the violence or threat of violence necessary to turn the theft/larceny into robbery:[0]
> Robbery, in turn, was simply a "compound" form of larceny. For Blackstone, "compound larciny is such as has all the properties of former, but is accompanied with one of, or both, the aggravations of a taking from one's house or person," id. at *240, and "[l]arciny from the person is either privately stealing; or by open and violent assault, which is usually called robbery,"
I'm not really making a judgement about the rights and wrongs of the actual case (because I'm not only not a lawyer, but also not a witness, juror, etc.), but as described it doesn't sound like robbery at all.
[0] https://web.archive.org/web/20060903163713/http://docket.med...
> Cybersecurity experts have attributed the attacks to a loosely organized hacker group known as Scattered Spider, which also operates under aliases such as Octo Tempest, UNC3944 and 0ktapus3.
I’m almost positive ripping off a casino isn’t a crime. I’d be demanding a jury trial for sure.
Statistically, the jury will be made of people that lost money at a casino, know they’re a financial scam or have some moral disagreement with them.
Orrrr it might be people who work in casinos/tourism and don’t feel great about someone extorting their employer.
TBH I would not hold a grudge to anyone extorting my employer.
Legal: using your brain. Illegal: devices, collusion, past-posting, edge-sorting with marked cards. Juries know the difference.
Jurors also know that casinos aren't innocent victims, but great sources of societal harm.
Do they? Most people don't seem to know that.