A Super Bowl of irritating fraud.
N2K logoFeb 7, 2023

Spam will continue to increase this week.

A Super Bowl of irritating fraud.

Proofpoint describes a spike in Super Bowl-themed spam over the past weeks. Synopsys casts a skeptical eye on sports book apps.

Super Bowl smishing.

Proofpoint observed an 860% increase in smishing attacks during the playoff period. The vast majority of the text messages contained a shortened link leading to a malicious website. The messages contain phony offers for iPads giveaways or free betting money. The researchers expect these scams to increase as the Super Bowl approaches.

Vulnerabilities in sports betting apps.

Synopsys has published a report looking at the security of the top ten sports betting apps for Android devices. The researchers found that all of the apps use outdated open-source components that contain vulnerabilities. The vulnerabilities aren’t necessarily exploitable in the apps, but Synopsys says their presence indicates that developers and app stores should refine their security practices:

“Are these apps safe to use? Some development teams are doing better than others at managing their open source dependencies. Consumers, unfortunately, do not have this visibility and must hope that app developers and app stores will improve their security processes. If we can do this type of analysis, app stores can do this type of analysis.”

Industry comments as Super Sunday approaches.

Stuart Jones, director of Proofpoint’s CloudMark division, commented, “Sporting events are an attractive target for cybercriminals– they drive wide public interest and have a huge following, giving fraudsters countless opportunities to trick people into clicking on links related to key sports news. Be suspicious of mobile messages from unknown or unexpected sources. With smishing and other forms of mobile messaging abuse on the rise, mobile users should remain vigilant for suspicious text messages across SMS, MMS, RCS, iMessage and other platforms. If you encounter smishing, spam, or other unwanted or abusive content, make use of the Android and iOS reporting features when available. If this capability is not available, you can also forward the suspicious text messages to 7726, which spells ‘SPAM’ on the phone keypad.”

Karen Worstell, Senior Cybersecurity Strategist at VMware offered the following observations:

“The Super Bowl has historically been a prime target for cybercriminals to launch cyberattacks affecting everything from event venues to critical infrastructure to online properties and email. Adversaries know that many people around the globe are tuning in through streaming apps and services, creating a greater attack vector and making it easier for them to strike. YOU are the prime target for this event. Be especially vigilant about clicking on sites and links that are linked to services associated with entertainment services you don’t normally use. Ensure that both company and personal computer firewall settings and advanced threat protection are in place and up-to-date since the greatest point of origin by far for cyber attacks during the Super Bowl will be end-point devices.”

Could the Super Bowl itself be hacked?

Added, 2:30 PM, February 8th, 2023. James Campbell, CEO & Co-founder, Cado Security, addressed some of the threats to the event itself. Why would something like the Super Bowl be an attractive target? There's some opportunity of financial gain in an attack, especially if that attack is linked to extortion. "If it is a large-scale physical event where everything has to go right at this moment in time, opportunistic cybercrime motivates threat actors who can hold an event for ransom, so it could be a good ransomware situation for criminal actors, albeit they don’t tend to focus on those sorts of things, but it's certainly something that could occur through disruptive campaigns as an angle for criminals." An event like the Super Bowl, for example, as we've seen attracts a great deal of online gambling interest. Online gaming depends upon high availability, and a ransomware attack could impede that in ways that might induce affected services to pay extortion.

High-profile events also offer an opportunity to send a message. "Nation-states are sending a message and making a point with operational impact. The second and likely motivator is through high-profile events, particularly in a time of political unrest across the world; if you were to disrupt another nation's large-scale event, that would be sending a message. While it isn’t a message that has a physical impact, it can be a clear shot, a pretty big deal without actually firing anything real," he said, adding, "Interestingly at a time like this, threat actors can leverage this. Looking at the current state of affairs, it would make sense for nation-states to capitalize on a campaign against potential enemies across the western world. One of those could be disrupting large-scale events."

"If nation-states want to show that they can impact the western world, then high-profile events motivate threat actors," Campbell observed. "Showing that they can interrupt large-scale with a click of a button sends a powerful message that you can influence and make an impact no matter where you are in the world. An easy way to send a clear message is to disrupt a large-scale physical event like the Super Bowl. The US would not retaliate physically, so it's a lower risk for nation-states during uncertainty."

Big events can attract not only nation-states, but hacktivists as well. "The climate change protests and the like, in general, are against big events, so another thing to consider is that someone might try to aim to disrupt an event which can be as simple as a denial of service on a website or finding a way to discredit an event through cyber means, which hacktivists could do by are utilizing the high-profile space of the event to raise awareness of their own political or general motivated issues."

If the event itself were to be disrupted, how might a cyberattack do so? "One of the main disruptions to the Super Bowl would be denying the ability for it to be televised, which would probably have the biggest impact other than physically ensuring the Super Bowl doesn’t run itself, which would be a harder task," Campbell said. "With millions of people worldwide watching and the advertising and revenue generated from the SuperBowl, if you’re going to get a certain point across, then restricting the ability to broadcast it live would have the most significant impact you could have out of all of it, albeit not the only impact."

The NFL and its partners are aware of the risk of cyber incidents. How might their cybersecurity teams approach securing the event? "Cybersecurity teams would be trying to understand the big impact events such as media availability, making sure the event, in general, runs smoothly, making sure that ticketing works, and ensuring the general safety of the event are upheld, so they’ll be considering all of those elements," Campbell says. It's not a simple task. "The one thing that would be tricky for security teams is that it’s not just one entity or single network they must look after. An event like the Super Bowl involves numerous suppliers, media companies, etc., all of which are responsible for looking out for their networks, collectively making up how the Super Bowl is run. From a risk standpoint, security teams want to try to manage the best they can that all of the suppliers and everybody who are essentially helping run the Super Bowl are maintaining a good level of security and also, from an operational perspective, make sure they have appropriate continuity plans in place should something happen they can fall over to a plan B and keep the event going, live, and streaming worldwide."

Campbell offers a set of best practices that might usefully inform security for events like the Super Bowl:

  1. "Understand the risk to your suppliers: the data they have access to, what operational capability they bring to your event, how they operate, and what they do to maintain resiliency. What are the associated risks, types of threats you’re likely to encounter, and avenues they could potentially exploit? 
  2. "Focus your resources on hardening those and making them more resilient because trying to secure all the things is only sometimes practical. You need to understand where to start, what’s your highest risk and profile, then tackle that first. 
  3. "For an event such as the Super Bowl, this starts with the suppliers, people, networks, and technology that make the event possible, ensuring they are doing it from a risk, security, and resilience perspective. 
  4. "From a best practice perspective, they would have prepared for it by engaging the critical suppliers as part of the significant event and exercising various cyberattack scenarios to ensure they have the proper checks and balances to respond accordingly and maintain resilience."

Some of the risk to any event this large is inevitably third-party risk. "From my experience with events, there are many moving parts – third-party risk – when it comes to people organizing these events," Campbell says.

"Some straightforward examples are denial of service and attempts to bring down live feeds or general websites so people can’t buy tickets or get updates. These are pretty simple things to do, but they can be very complicated. There’s a monumental effort to deliver live feeds of the games, commentary, and different languages to the world, a lot of which is physically at the event.

"The televised network and server sitting in the data room in the Super Bowl is secure with patches and firewalls, but what happens if you don't have control of the room itself? The building management system might be separate from that, and you might not directly control or have access to that. Suppose threat actors attack IoT and turn off the air conditioning in the building management system. In that case, all those computers are useless because you must immediately turn off all your servers, or else they melt within 15-20 minutes."

And a cyber threat to ticketing.

Added, 11:45 PM ET, February 8th, 2023. Ticketing is vulnerable, too. Will LaSala, Field CTO at OneSpan, described the effect that both attackers and scalping bots can have on ticket sales:

“The highly anticipated game between the Eagles and the Chiefs serves as a timely reminder of how vulnerable these types of transactions are and how frequently they are targeted by attackers and bots. Regardless of whether you are purchasing tickets to a football game, concert, or transferring money, all transactions need to be secured and ultimately, we want to ensure every transaction has a real identity tied to it. Ticket sales are a digital transaction that could be further secured by having a digital identity tied to help ensure bot-based attacks have less impact. 

"Although service providers — such as Ticketmaster — may be concerned about impacting the user experience, implementing the right technology for verifying the end user, does not have to come at the price of increasing the user experience. Most ID verification capabilities ensure a secure process that helps customers put more trust in their vendors. After performing ID verification, customers are protected via strong credentials such as passwordless FIDO (Fast ID Online) technologies, or secure PUSH Authentication leveraging built in mobile biometrics, like FaceID and fingerprints. As the transaction is processed, the provider typically looks to capture the user’s intent and to store that intent so that it can be verified in the future, if needed.

"The bottom line is that transactions not tied to identities and not secured lead to bad user experiences and offer increased attack surfaces. Customers should look at their digital processes and start to envision how those transactions are changing in the virtual world that is on the horizon.”