 |
| The relationship between the various TDS and DNS associated with the Vigorish Viper and the final landing experience for the user |
A Chinese organized crime syndicate linked to money laundering and people-trafficking across Southeast Asia is using a sophisticated “technological complex” that runs the full spectrum of cybercrime supply chains to spearhead its operations.
There is an info block tracking pseudonymous owner and custodian Cheerful vipernoting that it was developed by the Yabo Group (aka Yabo Sports), which has been linked to illegal gambling and pig slaughter scam in the past. It was renamed Kaiyun Sports in late 2022 and has since been absorbed by another newly formed organization called Ponymuah.
Marketed in China as “baowang” (“包网”, meaning complete package), the bundle includes several components such as Domain Name System (DNS) configurations, website hosting, payment mechanisms, advertising and mobile apps. It also hosts thousands of domain names and many brands in infrastructure connected to Hong Kong and China.
The business is based on securing the sponsorship of European football clubs using front companies or white label brands and using them as a “force multiplier” to advertise illegal gambling sites in the region in order to attract more punters. It was in July 2023 informed that the logos of betting companies appeared 3,500 times during a televised soccer match.
Yabo, Ponymuah and other related offshoots such as OB (aka OBGM), DB Gaming, Panda Sports, KM Gaming and Smart King Games (SKG) are all part of the extensive Vigorish Viper network, highlighting the confusing and murky ownership gambling companies. and the painstaking steps taken to circumvent the inspection.
It is not just English football clubs involved in this sponsorship as the investigation revealed that cricket and kabaddi teams in India have also entered into similar sponsorship deals to advertise Vigorish Viper brands.
“Vigorish Viper operates a vast network of more than 170,000 active domain names, evading detection and law enforcement through sophisticated use of DNS CNAME traffic distribution systems,” Infoblox researchers Maël Le Touz, Jacques Portal, Renée Burton, and Elena Puga shared in a comprehensive report from The Hacker News.
“In addition to gambling, Vigorish Viper’s CNAMEs (Traffic Distribution Systems) serve illegal streaming and pornographic sites. Some of the domains used for streaming are long-registered domains that Vigorish Viper took after the original registration expired.”
Burton, vice president of threat intelligence at Infoblox, described the threat as “one of the most complex and significant digital security threats” discovered to date.
 |
| An overview of the Vigorish Viper sports sponsorship scheme |
“Vigorish Viper has created a complex infrastructure with multiple layers of Traffic Distribution Systems (TDS) using DNS CNAME records and JavaScript, making it incredibly difficult to detect,” Burton said in a statement. “These systems are augmented by their own encrypted communications and specially designed programs, making their activities not only elusive, but extremely persistent.”
This entails using DNS CNAME records redirect traffic from one domain to another, a method previously adopted by other DNS threat actors, e.g Smart seahorse. In addition, the system has the ability to distinguish between residential, mobile and commercial IP addresses in China.
Earlier in January of this year, the “Play the Game” initiative of the Danish Sports Research Institute. uncovered connections between dozens of European soccer clubs and illegal gambling brands that can be traced back to Yabo and are aimed at jurisdictions such as China, where gambling is illegal and considered organized crime.
Cybercrime also has an offline aspect involved human trafficking According to the Asian Racing Federation (ARF), people are being lured by the promise of high-paying jobs and coerced into supporting sports betting schemes and promoting pig-splitting scams and other cryptocurrency scams.
“Working in teams of 8-10, some coordinate with live sports commentators and broadcasters (presumably on pirated streams) to promote live chat groups marketing betting websites during games,” reports the report (PDF) published by ARF in October 2023. “Others act as relationship managers to encourage customers to continue bidding, while others act as direct agents to recruit customers.”
 |
| The steps between when a user visits the site and starts placing bets |
Infoblox said its own Vigorish Viper investigation came from one anomalous domain, kb(.)com — a gambling site called KB Sports that uses Chinese name servers — which also hosts yabo(.)com, the domain name for Yabo Sports.
An interesting aspect to note here is that the website is geo-blocked for users located in France and other European countries, but is accessible from mainland China and the special administrative regions of Hong Kong and Macau.
“When visiting from one of these domains, the user is redirected to another domain — for example, kb830(.)com,” the researchers noted. “The redirect domain changes over time. In addition, the site has disabled all ‘right-click’ functionality, as well as text selection, preventing attempts to explore or copy the site.’
Website users are then shown advertisements promoting financial incentives for regular rates, as well as payment options using WeChat Pay, EBpay, Alipay, JD Pay, KOIPay, AstroPay, YunShanFu, UniPay, Net Pay, Fast Pay and NetBank. Betting takes place through agents who place bets, manage deposits and communicate with gamblers through special encrypted chat programs.
A deeper examination of DNS query logs also revealed evidence that Vigorish Viper’s activities extend beyond China and target users around the world.
Some of the other protection mechanisms built into these sites include periodically checking for signs of automated activity and providing visitors with a CAPTCHA puzzle in an attempt to avoid potential crawling attempts or when trying to contact customer support, which is done by real people. East Asia.
That’s not all. Users who visit one of Vigorish Viper’s branded domains go through several rounds of fingerprint checks to confirm that the IP address is in China and that they are legitimate before they are allowed to bid on the sites.
“Both DNS and software link the entire Vigorish Viper enterprise to Yabo Sports or the Yabo Group,” the company said. “Their reach spans dozens of brands, perhaps hundreds, and targets users outside of Southeast Asia.”
“Despite a vast number of domain names, websites and associated applications, and an overt presence in the public eye, Vigorish Viper operates in the PRC directly and inexplicably without significant consequences.”
