Just like the old-fashioned pickpockets and scalpers we’ve learned to avoid, cyber scammers are exploiting major world events to target their victims. The World Cup, the Royal Wedding, and the Winter Olympics are recent events they’ve tried to benefit from in this way, and it’s an incredibly effective tactic.
Usually, the cyber attacker modus operandi during these events is the tried-and-true combination of social engineering and phishing. Generally an email – along with a malicious attachment or link – is sent out in a spam campaign to thousands of potential victims. The body of the email will exploit interest in the event and point the user to the malicious element — alluding to a special offer or other detail related to the event.
An interesting example occurred during the recent World Cup. Hackers developed a malicious score-tracking app, called “Golden Cup”, and convinced Israeli soldiers to download it from the Google Play store. The app in fact contained spyware which gave the attackers access to the soldiers’ GPS location, phone cameras and microphones, and revealed the locations of images and videos stored on their phones.
The Israeli military blamed the Palestinian group Hamas. What made the malware especially dangerous, the Israelis said, is that the app looked legit — it was downloaded from an official app store.
It’s not only sport fans that need to be wary. We witnessed another cunning tactic before the wedding of Prince Harry and Meghan Markle, whereby cyber criminals launched the “royal wedding guest name” data mining scam. This scam tricked people into giving up key personal data by inviting them to find out what their ‘aristocratic name’ was. And what did people need to do to find out their ‘aristocratic name’? They had to enter the name of one of their grandparents, their first pet’s name, and the name of the street they grew up on. If these questions sound familiar, it’s because they’re three of the most commonly used security questions.
Organisers and contractors of these events are also frequently targeted via similar means. Before the South Korean Winter Olympics, sophisticated attackers targeted ski resorts, organising committees, and tourist boards with an apparent alert from South Korea’s National Counter-Terrorism Center. The email contained malware which would give attackers remote access to infected machines. Underscoring the trade craft of this campaign, the emails coincided with real-life terrorism drills.
Any time these significant events roll around, we can expect an accompanying phishing campaign. Exploiting the public interest in major events is an efficient and effective form of social engineering.
Consider the fervor that will descend upon Australia during the last weekend of September. Saturday will see the AFL final decided, while on Sunday, the NRL finalists will face off against each other. Fans and punters across the country will be eager for any updates in the lead up to both matches and could be seen as easy targets.
If a spam email went out claiming to contain last minute injury updates or special odds from a betting agency, I think we all know someone who would open it. By feeding on the frenzy before these events, attackers know there’ll be enough people who can’t resist to make the campaign worth their while.
This doesn’t mean you should live in fear any time an event of national or international significance rolls around. Basic cyber hygiene is enough to ensure you enjoy these events safely; only use trusted sites, only download official or verified apps, don’t click on emails or attachments from unfamiliar sources, and apply the latest patches as soon as possible.
These are very simple steps one can take to level the playing field against attackers. Forewarned is forearmed, and knowing to expect such tricks can help even the most ardent fan think twice before entering their mother’s maiden name and favourite colour to find out their ‘footy nickname’.
By Carlo Minassian, founder of cyber security platform LMNTRIX.
