An international media giant sought to expand its market with the acquisition of an online gaming business. While corporate lawyers drafted the deal documents and accountants crunched the numbers, the buyer turned to Stroz Friedberg to handle a different but equally important kind of due diligence: testing whether the target company had integrated available technologies in a way that successfully identified and blocked Internet traffic from users placing wagers from states where online gambling is prohibited.
Our work first focused on preserving and analyzing the behavior of the online gaming website, which we replicated in the controlled environment of a Stroz Friedberg digital forensics laboratory. Recording our actions and the reactions of the website, we attempted to originate wagers from prohibited geographic locations and using inaccurate payment authentication information. To the extent that the site allowed us to place such wagers, we were able to glean clues as to why—by analyzing the HTML and Java code that comprised the site’s public-facing web pages, the URL addresses of those pages, and the packets of information moving between the site and our forensic station, all of which we captured as we interacted with the site.
To further understand why some unauthorized transactions were not being filtered out, Stroz Friedberg undertook a review of the site’s back-end systems. Here, our testing focused primarily upon the integrated application documentation, the website and application source codes, and third-party site traffic metrics made available by the target company. By applying forensic methodologies, interpreting source code, and analyzing the interplay between API calls, script modules, and traffic statistics, we were able to provide the buyer with deep insight into why the geo-location filtering and payer authentication applications were not working as expected. Specifically, we found that weaknesses resulted from the incomplete integration of the site’s technologies and the site architecture itself, which allowed unscrupulous users to readily bypass those technologies.
Our concrete recommendations for mitigation, which included source code and architectural modifications, provided the buyer with a way to quantify both the cost of bringing the acquisition target into compliance with the law and the impact that remediation would have on the target’s profitability. Quantifying the risk in this fashion greatly enhanced the ability of the buyer to decide whether to complete the acquisition—or not.