Cybercriminals Aim for the Super Bowl Goal Posts

Ah, the Super Bowl. For some, this Sunday’s show down between the Los Angeles Rams and the New England Patriots will be about gathering family and friends around for a great American pastime: The Super Bowl party. Some are just in it for the commercials. Some see a gambling opportunity; and for fans of the two teams playing, it’s the culmination of everything they’ve been hoping for since September.

And for cybercriminals, Super Bowl LIII is a massive fraud and infrastructure attack opportunity, and a perfect chance to attack those streaming the event.

Consumer Frauds and Scams

The ZeroFOX team said that it has found several instances this week of advertisements to place online sports bets and discussions about online betting for the Super Bowl, many of them fraudulent. Other common scams that are making the rounds are offers for tickets to see the game in Atlanta, cheap hotel rooms in the Peach City, and discounted official merchandise and jerseys.

“Watch out for those offering great deals on things like tickets, places to stay or that cool jersey you’ve been eyeing – be sure to take extra steps to verify that you’re getting what you’re paying for,” said Kirsten Ashbaugh, threat analyst on the ZeroFOX Alpha Team, in a report shared with Threatpost. “And if you do decide to place a wager, check the relevant state laws to make sure you’re in the clear.”

Although sports betting, including online betting, has become legal in some states over the past year, it may not be legal or accessible depending on where one lives.

“Only a handful of states have legalized this type of betting, and not all of them offer the ability to bet online,” Ashbaugh said. “The ones that do may restrict even online betting to those physically within state boundaries. If you do decide to partake, be sure to check if your state allows you to bet online, and look to make sure the website or app you’re using is reputable.”

On the fraudulent ticket and travel front, game day ticket sales last week increased 65 percent, but instances of fraud attacks also spiked, according to data from Forter sent to Threatpost. The firm identified two types of criminals that have been actively trying to exploit both ticketing sites and football enthusiasts ahead of the big game: Foreign fraudsters and domestic “legacy” fraudsters.

Forter’s analysis found that most fraud comes from outside of the U.S., making up 3.8 percent of total attempted Super Bowl ticket purchases. And when it comes to domestic threats, a New York-based crime ring has been targeting the ticketing industry and the Super Bowl specifically.

“The culprit uses sophisticated technology to alter IP address and fake their location, and frequently changes personal account details to avoid detection,” a Forter spokesperson explained via email. “So far, this scam has led to one massive failed attempt at purchasing $10,000 worth of Super Bowl tickets.”

Those looking for last-minute tickets should thus be on high alert.

“Sellers may offer tickets that either are fake, created falsely online, or they could be reselling tickets that someone else is already planning on using,” ZeroFOX’s Ashbaugh noted. “You could get to the gate and be out of luck. It’s also a good idea to never post pictures on social media or elsewhere of your tickets to events like the Super Bowl, because people could use those photos or the ticket number to create fake tickets.”

Infrastructure Risks

One of the other concerns at the Super Bowl involves the critical applications and networks that support the event, hosted both locally and in the cloud. Broadcast networks, industrial control systems, civil-service networks and other related systems are also all at risk, according to Daniel Smith, a researcher at Radware.

He noted in a Thursday posting that there’s a precedent for the concern: “While there hasn’t been a recent attack of scale reported against the Super Bowl, last year we did witness a piece of malware named Olympic Destroyer that targeted and disrupted the opening ceremonies and entry into the 2018 Winter Olympics.”

Also, today’s stadiums, theaters, arenas and amphitheaters are target-rich environments, he added. They require small cells, WiFi and distributed antennae system (DAS) deployments to serve fans with modern, interactive game-watching enhancements. Often, the technologies designed to enhance the spectators’ experience are easily exploited to harvest information from attendees, according to Smith.

It’s an attractive cybercrime opportunity, given the sheer amount of data traffic that these systems support. Extreme Networks reported that last year’s attendees at Super Bowl LII in Minnesota transferred 16.32 Terabytes of data with a peak rate of 7.867 Gbps.

“This Super Bowl, like years before, will bring large crowds once again that will demand connectivity and are expected to consume record breaking volumes this year,” Smith said. “This is an enormous demand for connectivity and the technology involved could poses a security risk for event organizers, partners, sponsors and attendees as their activities in the stadium begin to produce more digital oil: data.”

Infected Streams

Last year, the Big Game drew an estimated 103 million viewers and saw record-breaking streaming traffic, according to NBC. Super Bowl LII had an average online viewership of 2 million, a 15 percent gain over the 2017 event. The stream was available on NBC Sports app, NBCSports.com and the Yahoo Sports app, among others. At its peak, the online audience clocked in at 3.1 million concurrent streams.

It’s safe to say that this year’s digital audience will likely improve on that. So as the Los Angeles Rams face off against the New England Patriots this year, cybercriminals will be looking to take advantage of the thirst for multimedia and streaming access to the game.

In the era of “cord-cutting,” those without television packages will look for ways to watch Super Bowl LIII digitally, as will those who have to work or who will otherwise not be in front of a TV.

Against this backdrop, cybercriminals have been focused on spreading malicious software via unsanctioned streams, designed to harvest and steal personal information.

“On Super Bowl Sunday, millions of sports fans worldwide will descend onto the internet eagerly searching for a free stream,” Ray Walsh, digital privacy expert at BestVPN.com, said via email. “The result is every hacker’s dream. This year, hackers are expected to have set up more infected streams than ever before. Anybody arriving on an infected page to hit the ‘Click Here to Watch the Super Bowl in HD’ button is in for a nasty surprise. Malware, spyware, trojans and ransomware are all going to be on the menu — which means that sports fans are going to end up with serious infections.”

Fans should instead stick to watching official HD streams, he added, to avoid misery.