| ▲ | Teen suspect surrenders in 2023 Las Vegas casino cyberattack case(casino.org) |
| 59 points by campuscodi 16 hours ago | 58 comments |
| |
|
| ▲ | trvr 14 hours ago | parent | next [-] |
| I was in Las Vegas when this happened, though we had no idea that day that this is what was happening. My wife and I went to get tickets to the Titanic exhibit at the Luxor and they said "our computers systems are down, we can only take cash". I had cash, and they sold us the tickets for extremely cheap. Long story short, I've always felt like I stole from the casino that day too! :-) |
| |
|
| ▲ | james_marks 14 hours ago | parent | prev | next [-] |
| > In 2023, hackers used vishing (voice phishing) to impersonate employees and gain access to the internal systems of MGM Resorts International and Caesars Entertainment on the Las Vegas Strip, causing hundreds of millions of dollars in financial losses. First time I’ve heard the term “vishing” to describe the attack we’ve all seen coming. |
| |
| ▲ | wrayjustin 14 hours ago | parent | next [-] | | Phishing (Email), Smishing (SMS/Text Messages), and Vishing (Voice) are all standard industry terms, though obviously phishing is most well known. Then there's even subcategories that further define some of these, like Spear Phishing, Whaling. The industry loves its fun naming. | | |
| ▲ | airstrike 13 hours ago | parent | next [-] | | "Phishing" isn't limited to email | | |
| ▲ | lostlogin 10 hours ago | parent | next [-] | | That’s lucky. Putting ‘ishing’ on the end of something email related doesn’t work very well. | |
| ▲ | jerrythegerbil 12 hours ago | parent | prev [-] | | [flagged] | | |
| ▲ | gpm 12 hours ago | parent [-] | | That's not my understanding, or wikipedia's [1] understanding, of the term. Phishing is the general category of tricking people into telling you things they shouldn't. Email phishing, voice phishing (vishing), sms phising, and so on are subcategories. [1] https://en.wikipedia.org/wiki/Phishing Etymologically "phreak" and "fishing" both have nothing to do with email, "phreak" is "phone freak" and I believe it originally described messing with the tones that controlled the telephone system... | | |
| ▲ | jerrythegerbil 2 hours ago | parent [-] | | That’s my exact point. Just because you repeatedly see it used a certain way by non-practitioners to generalize for simplified communication doesn’t mean it’s the correct usage, and leads to the exact confusion I’m attempting to clarify for you. Phishing is by default email. It’s varying mediums are subcategories. Bottom paragraph of first section of the very same Wikipedia article. “Phishing techniques and vectors include email spam, vishing (voice phishing), targeted phishing (spear phishing, whaling), smishing (SMS), quishing (QR code), cross-site scripting, and MiTM 2FA attacks.” | | |
|
|
| |
| ▲ | Ekaros 2 hours ago | parent | prev | next [-] | | Why is it not emishing with email? | |
| ▲ | mmaunder 11 hours ago | parent | prev | next [-] | | Never heard of vishing. I’m in the industry. | | |
| ▲ | saithound 9 hours ago | parent [-] | | Wrong industry. It is primarily the "sell anti-phishing training to enterprise employees" industry that uses these terms. | | |
| |
| ▲ | Razengan 4 hours ago | parent | prev [-] | | > Smishing uh that's something completely different (and not Monty Python) |
| |
| ▲ | electroglyph 14 hours ago | parent | prev | next [-] | | social engineering is as old as hacking itself | | | |
| ▲ | StanislavPetrov 10 hours ago | parent | prev [-] | | In my day we used to call it "social engineering". | | |
|
|
| ▲ | betsor 13 hours ago | parent | prev | next [-] |
| I was on call when that happened. Absolute nightmare for a few weeks and most of the team didn´t sleep for days. I hold no grudge but the business thinks differently for sure. Cheers to those guys because the way they got access and made it through was very clever after the social engineering part. |
| |
| ▲ | sillysaurusx 12 hours ago | parent [-] | | It’s cool to hear from someone who was on the front lines. I want to ask vague questions like “what was everyone’s initial reaction like?” or “how urgent was the call when you got it?” but mostly I’d just like to hear more of whatever you’d like to talk about. | | |
| ▲ | joules77 12 hours ago | parent [-] | | It's like being behind a McDonald fry station when suddenly thousand people show up for lunch. So sort of like a Prank video. Now the real question is why do prank videos mesmerize people? The chimp troupes handles randomness and unpredictability, with the 3 inch chimp brain whose hardware hasn't been updated in 100K years, only one way - tell stories. It's our randomness handling hack. The stories breakdown all the time. |
|
|
|
| ▲ | 3eb7988a1663 12 hours ago | parent | prev | next [-] |
| MGM reportedly refused to pay a ransom, resulting in an estimated $100 million in losses and roughly 10 days of system outages affecting reservations, slot machines, room keys and websites. Caesars, in contrast, was reported by the Wall street Journal to have paid $15 million of a $30 million ransom demand and experienced less operational disruption.
So what happened to the $15 million? |
| |
|
| ▲ | ipnon 14 hours ago | parent | prev | next [-] |
| If a hastily organized band of teenagers can pull this off, you have to wonder what APTs are capable of. |
|
| ▲ | Lucasoato 8 hours ago | parent | prev | next [-] |
| It should be illegal to pay a ransom to cyber criminals, every time it happens you’re increasing the incentives for these activities and you’re making it more likely to happen again in the future. If it’s illegal, these groups would feel less attracted to attack companies, because they know they wouldn’t be compensated for it. |
| |
| ▲ | vintermann 6 hours ago | parent | next [-] | | Seems obvious to me too, but then again, if we went with coordinating for the obvious common good there wouldn't be a casino industry to extort in the first place. | |
| ▲ | hiatus 5 hours ago | parent | prev [-] | | What's the end result? Prosecuting the victim of a cybercrime for paying a ransom? |
|
|
| ▲ | jackgavigan 8 hours ago | parent | prev | next [-] |
| Likely linked to other recent arrests in the UK: https://www.theregister.com/2025/09/19/scattered_spider_teen... |
|
| ▲ | IlikeMadison 9 hours ago | parent | prev | next [-] |
| What always interests me in these type of cases is how do hackers get identified? Aren't they savvy enough to use some sort of proxies to cover their tracks? |
| |
|
| ▲ | aborsy 9 hours ago | parent | prev | next [-] |
| How come their IT systems are so bad that a kid in secondary school (thus with no experience) “hacked” into them? |
| |
| ▲ | hulitu 3 hours ago | parent [-] | | Because they protect against the user.
Computer security has evolved: we must milk the user of its data and make sure he doen't interfere with the milking process. |
|
|
| ▲ | DarkmSparks 10 hours ago | parent | prev | next [-] |
| How you know https is compromised... Access to this page is disabled
The law prohibits participation in games of chance organized by unauthorized persons through means of electronic communication. The authorized organizers of games of chance via means of electronic communication are the State Lottery of Serbia and persons authorized by the Ministry of Finance. |
| |
| ▲ | heavyset_go 10 hours ago | parent [-] | | You don't need to break TLS to do IP and domain blocking and redirection. That said, I'd assume governments have access to root certificates, anyway, but they're only broken out for big investigations or secret dragnet stuff we'll find out about in five decades, if ever. | | |
| ▲ | toast0 9 hours ago | parent [-] | | You don't need to break TLS to do IP/domain blocking, but you can't redirect an https page unless you have an acceptable certificate. > but they're only broken out for big investigations or secret dragnet stuff we'll find out about in five decades, if ever. Certificate Transparency, where required, makes certificates unusable if they're not published... But that might not be enough information. | | |
| ▲ | vintermann 5 hours ago | parent | next [-] | | You certainly can, but you should get a big screaming "this site's certificate is not valid for dodgy-casino.games" warning. If not, then maybe your browser vendor has been pressured to add some root certificate controlled by the Serbian police, which it approves to issue certificates to impersonate dodgy-casino.games. | |
| ▲ | 10000truths 9 hours ago | parent | prev [-] | | This is a DNS hijack, not an HTTPS hijack. The ISP's resolver sees "casino.org" in the A/AAAA query, finds it in a blocklist, and responds with an IP address to a web server that serves a block page (or a CNAME thereto). | | |
|
|
|
|
| ▲ | 9 hours ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | cookiengineer 10 hours ago | parent | prev | next [-] |
| > One count of conspiracy to commit extortion How can it be a planned conspiracy if only one person was involved? US law is so weird when it comes to bogus charges just to blow up the case artificially. Is the offender a person with multiple identity disorder or what's the reasoning here? |
| |
| ▲ | MathMonkeyMan 10 hours ago | parent | next [-] | | I know of a guy who got nailed with "armed robbery" because he stole a gun from the glove compartment of an unoccupied car that he had broken into. All a prosecutor wants to do is screw somebody as hard as possible and win the case. | | |
| ▲ | bagels 8 hours ago | parent [-] | | Seems appropriate to me. Person was holding a gun while doing a robbery which greatly amplifies the danger inherent in the crime they were doing. On the flip side, I knew someone who interrupted a car burglary and was murdered by the burglar. Imagine what might happen if someone came upon the guy you know of who was doing a robbery while holding a stolen gun? The person you knew made a lot of choices that led to this, any of which had they not chosen to do would have led to not being an armed robber: don't do a robbery, don't steal a gun, don't do a robbery while holding a gun. | | |
| ▲ | lambertsimnel 8 hours ago | parent [-] | | IANAL, but my understanding is that breaking into an unoccupied car isn't robbery (but it might be theft and/or criminal damage). Wouldn't being convicted of armed robbery without committing a robbery be a serious injustice? | | |
| ▲ | MathMonkeyMan 7 hours ago | parent [-] | | He stole the gun, so it was robbery. I feel like an armed robbery is one where you bring a weapon, which makes the robbery more dangerous. This guy was looking for cash and found a gun, so "armed robbery." The comment above claiming that the charge is justified does make sense, but I disagree with it. I'm also not a lawyer. | | |
| ▲ | lambertsimnel 6 hours ago | parent [-] | | What I mean is that if no victim was present there couldn't have been the violence or threat of violence necessary to turn the theft/larceny into robbery:[0] > Robbery, in turn, was simply a "compound" form of larceny. For Blackstone, "compound larciny is such as has all the properties of former, but is accompanied with one of, or both, the aggravations of a taking from one's house or person," id. at *240, and "[l]arciny from the person is either privately stealing; or by open and violent assault, which is usually called robbery," I'm not really making a judgement about the rights and wrongs of the actual case (because I'm not only not a lawyer, but also not a witness, juror, etc.), but as described it doesn't sound like robbery at all. [0] https://web.archive.org/web/20060903163713/http://docket.med... |
|
|
|
| |
| ▲ | ascorbic 9 hours ago | parent | prev [-] | | > Cybersecurity experts have attributed the attacks to a loosely organized hacker group known as Scattered Spider, which also operates under aliases such as Octo Tempest, UNC3944 and 0ktapus3. |
|
|
| ▲ | tehwebguy 14 hours ago | parent | prev [-] |
| I’m almost positive ripping off a casino isn’t a crime. I’d be demanding a jury trial for sure. |
| |
| ▲ | Scoundreller 12 hours ago | parent | next [-] | | Statistically, the jury will be made of people that lost money at a casino, know they’re a financial scam or have some moral disagreement with them. | | |
| ▲ | evan_ 10 hours ago | parent [-] | | Orrrr it might be people who work in casinos/tourism and don’t feel great about someone extorting their employer. | | |
| ▲ | LtWorf 9 hours ago | parent [-] | | TBH I would not hold a grudge to anyone extorting my employer. |
|
| |
| ▲ | era37 14 hours ago | parent | prev [-] | | Legal: using your brain. Illegal: devices, collusion, past-posting, edge-sorting with marked cards. Juries know the difference. | | |
| ▲ | closewith 9 hours ago | parent [-] | | Jurors also know that casinos aren't innocent victims, but great sources of societal harm. | | |
|
|
