Olympics fans who are simply trying to learn the latest medal count may be at risk for cyberattacks. A number of reports found a recent surge in the volume of malicious and phishing artifacts in Brazil, and viewers at home must be vigilant to ensure they do not fall victim and potentially put themselves and their company at risk.
“Attackers are smart, and to make malicious emails more enticing for the victims, a frequent trick is to tie them to an event that is currently going on,” said Engin Kirda, professor of computer science at Northeastern University. “As the Olympics are popular right now, users should expect to see malicious emails related to the Olympic games that aim to trick and exploit them.”
SEE: IBM X-Force finds major malware hitting Brazil banks ahead of 2016 Olympics in Rio
Fans of a large event are often seen as easy targets for a wide range of attacks, including phishing emails, domain theft, ransomware, and fake social media posts, Kirda said. If an employee accesses one of these attacks on a work machine, it may put their business at risk as well.
The first spam emails mentioning the Olympic Games in Rio de Janeiro appeared in early 2015, according to research from Kaspersky Lab. International fraudster gangs also created fake ticketing services and lotteries that ask victims for personal information to claim their prize.
“On phishing websites users have been asked to provide personal information–including bank account details–to pay for the fake Olympic Games tickets,” the company said. “After extracting this information, criminals use it to steal money from victim bank accounts. To sound even more convincing, fraudsters are informing their victims that they will receive their tickets two or three weeks before the actual event.”
Now that the games are in process, criminals have shifted toward phishing attacks imitating the branding of the Olympics to infect users with malware and obtain personal and financial data, said Greg Mancusi-Ungaro, chief marketing officer of BrandProtect. For example, someone might email “Look at this photo of me with Michael Phelps!” with a link to malware.
“The Olympics are an example of a singular event that draws a lot of people together, and is filled with local stories that are incredibly attractive to click on and get people at their most vulnerable,” Mancusi-Ungaro said.
Long cyber attack history
Cyber attacks during the Olympic games were reported as far back as the 2004 Summer Olympics in Greece, where a large cell phone service providers’ switches were hacked, resulting in several phone taps.
Hackers convinced fans to click on infected links during the 2012 London Olympics and the 2014 World Cup in Brazil. Similar issues plagued the 2016 Democratic National Convention, when Russian hackers penetrated the committee’s computer network and gained access to emails and opposition research on Republican nominee Donald Trump.
Lack of staff expertise and technology are key reasons external internet threats go unchecked at companies, according to a July Ponemon Institute study. About 79% of IT staffers polled reported that their defensive infrastructure to identify and mitigate those threats was either non-existent, ad hoc, or inconsistently applied throughout the business. Companies surveyed averaged more than one cyber attack per month, and faced annual costs of approximately $3.5 million as a result.
Advice for businesses
Companies can consider the following to stop attacks before they happen:
- Internet threat assessments that provide teams with reports of how hackers may be assuming their brand identity online.
- Domain monitoring to identify and remove copycat domains.
- MX Record monitoring, which provides early warning of an imminent phishing attack.
- Backing up data frequently.
- Instructing employees not to click on links in emails or open attachments from people they do not know. Even if they know the sender, they should be careful: Sender addresses can easily be forged in emails in more targeted attacks. “The easiest thing companies can do is just remind people to be careful,” Mancusi-Ungaro said. “It goes a long way.” He recommends emailing employees detailing some of the specific cyber risks they may encounter during the Olympics.
Ideally, such email attacks should never reach end users, as many modern defense systems aim to identify and eliminate them, Kirda said. “However, staying vigilant is important because no security defense system can be perfect,” he added.
The 3 big takeaways for TechRepublic readers
- Fans of the Rio 2016 Olympics are seen by hackers as easy targets for a wide range of attacks, including phishing emails, domain theft, ransomware, and fake social media posts.
- Before the Olympics began, scams included offers for fake tickets and clothing that got people to give up personal and financial information. Now that the games are happening, cyber criminals have shifted toward phishing attacks to infect users with malware.
- Employers should send out a warning to employees detailing the risks of clicking on links they do not know, and should back up their data frequently.