Online Casino PWA Scamware - Lukas Kinneberg

## **Scamware Overview** Commonly seen advertising across social media platforms, casino scamware has become more rampant. I had came across this ad when scrolling through social media. What makes this all the more intriguing, is online casinos are not legalized in North Dakota. This holds particularly true for brick and mortar casinos in North Dakota not being allowed to have online gambling. Clicking into the ad leads to a 'dakotamagic.casino-real.site', using the actual domain name of Dakota Magic(a legitimate brick and mortar casino in SE North Dakota) as their subdomain. The webpage is semi interactive showing reviews and other various information about the application. When viewing this on mobile, it gives a very similar appearance to the Google Play Store. ![[Pasted image 20250908181426.png|400]] ### **DNS Information** Doing some quick domain enumeration, the site was registered through Namecheap with the NS servers using Cloudflare infrastructure. Most notably, a domain registration from earlier this year which stands out as a red-flag. ![[Pasted image 20250908181820.png]] ### **Application Overview** Digging more into the general details of the application, it looks to be fairly enticing. About the Game: ![[Pasted image 20250908181935.png]] Even with some reviews about how much money people are winning ![[Pasted image 20250908181948.png]] After Installed, the application appears as an App that can be searched for and launched. The application is installed as a Progressive Web Application (PWA), which is a web application that behaves similar to a standard application through the Edge browser. PWA's are built using standard web technologies but are able to have an app-like experience to them. Launching the Dakota Magic App exemplifies the app like experience. Upon launching the application, there is a final redirect to a cafecasino.lv with a Registration page. ![[Pasted image 20250908182004.png|600]] Initial digging shows this appears to be a legitimate, but shady online casino that has an online presence. It begs the question, why is this fake Dakota Magic Casino redirecting to a "legitimate" online casino? Initial theories led me to believe this was done on café casino's part using the presence of other casino's to generate additional online presence. ### **Progress Web App(PWA) Files** The PWA for this application is comprised of XML and .pri files. Looking within the WindowsApp Folder, the XML files can be examined for any additional information. In particular the AppxManifest.xml file does hold some information related to the application and URL's. ![[Pasted image 20250908182128.png]] One block of code with the XML stands out showing the loaded URL for the launched application. ![[Pasted image 20251026210815.png]] We can confirm from earlier this was the initial site that was accessed to download the PWA from. A proxy can be set-up to validate the requests being made and the flow from the initial dakotamagic.casino-real.site to cafecasino.lv. ### **Setting up Proxy for PWA Applications** Going into windows settings for Proxy, the address can be set-up to Burp defaults ![[Pasted image 20250908182349.png]] After launching Burp and the PWA Dakota Magic App, a series of web requests are intercepted. Of particular interest are the two POST requests made initially(highlighted in red and yellow), followed by the last GET request(highlighted in green). ![[Pasted image 20250908182414.png]] Post Req #1 ![[Pasted image 20251026210925.png]] Post Req #2 ![[Pasted image 20251026210946.png]] The two initial POST requests appear to be sending data related to the UUID of the application, along with base64 encoded data that was unable to be unencrypted. This may contains things such as location or metadata related to the browser/device. The GET request made to a 'frankiplay.com' starts to show some of the redirections that are being made. We can tell this is a redirection from the dakotamagic.casino-real.site by looking at the **Referer** Header. Get Request #1 (Frankiplay.com) ![[Pasted image 20251026211013.png]] The Cookie also contains Base64 data, which when decoded shows a JWT that is passed with the following information ![[Pasted image 20250908183232.png]] After forwarding the request to frankiplay.com, the next request is intercepted for a record.revenuenetwork.com. Once again, we can look at the Referer header and see this originally stems from the dakotamagic.casino-real.site. Doing some quick Google Fu on record.revenuenetworks.com, many results come back to legitimate sites for casino/gambling related purposes. ![[Pasted image 20250908183255.png]] ![[Pasted image 20251026211050.png]] In most use cases it appears to be a tracking site used as a redirect domain. Revenue Network operates in the affiliate marketing space and through the redirection provides features such as: - Attribute a click to a specific affiliate - Cookie injection for future tracking - Recording information on user actions After forwarding the HTTP GET request from Revenue Networks, the final GET request is intercepted, providing much needed context on the purpose of this campaign. The site redirects to the cafecasino.lv which we see in the PWA application. The Referer header shows the request came from the original dakotamagic.casino-real.site. The contents of the GET request ***'/join?referral=XpV2kavvIcZ24AtogcV8KGNd7ZgqdRLk&affid=33614'*** show a referral sign-up trying to be made. This can be seen within the GUI screenshot posted earlier of a Registration page coming up. With many of these online casinos, often times players will get playback money if they are able to get others to sign-up using their referral code. Based on this last request, it's a likely assumption this is being used to generate playback money for whomever that referral code belongs to. ![[Pasted image 20250908183413.png]] ![[Pasted image 20251026211113.png]] ### **Domain Hunting** Knowing the format to the domain, we can attempt to apply this logic to guess other subdomains for casino-real.site. The original URL examined earlier (dakotamagic.casino-real.site), the subdomain appears to match the website for the legitimate casino (dakotamagic.com). Using this theory, a list of casino websites can be gathered and inserted as a subdomain to determine if other casino's are being impersonated as well. A comprehensive list of casino's across the upper Midwest was gathered and appended into the \<casino website domain\>.casino-real.site format. There was no successful hits for any of those domain checks. Additionally, DNS tools such as sublist3r and amass were used and nothing of substance was able to be turned up. With the large amount of casinos in the United States and worldwide, it's highly likely there is other casinos that are hosted as subdomains using redirects for the affiliate sign-up link.