Rio 2016: The world is watching, especially hackers
When each nation’s best athletes compete at the Olympic Games, one city seemingly becomes the center of the universe. And while we look on closely—captivated by the event’s grandeur and its participants’ incredible skills—threat actors do the same, only for entirely different reasons.
Every four years, the host country pours an enormous amount of time and resources into building venues for the many different events, as well as the infrastructure necessary to accommodate the massive influx of visitors. In fact, the total cost of the 2016 Olympics in Rio de Janeiro, estimated to exceed $12 billion, has increased by $99.3M since August alone.
And the host isn’t the only one spending big—spectators and revelers will shell out millions on tickets, travel, and accommodations, while sponsors like Coca-Cola, McDonald’s, and Nike put hundreds of millions into sponsorships to make sure they get their share of the spotlight. By and large, the Olympic spending frenzy makes easy work for threat actors looking to fool people and organizations out of their money. It’s no surprise that RiskIQ, an external threat intelligence and detection company, is seeing a sharp rise in fraudulent sites and mobile apps related to the Rio Olympics.
Ticketing scams, namely the use of fake websites, are one of the most common ways Olympics-goers are being taken advantage of. Fake sites target a specific organization by using either the name of the company in the domain (log-in-page-companyname.com), a variation of the spelling of a brand (favebook.com), or the organization name and an uncommon TLD (companyname.net, companyname.de, companyname.party, etc.). Malicious actors often use hundreds, even thousands of spellings across different domain variations to spread their reach. Their shady domains can resolve to or create redirects to hosts targeting visitors.
In the case of the fake site below (which RiskIQ found and blacklisted), the brand is that of the Olympic Games themselves. The URL resolves to a site selling fake tickets—even to events that are known to be already sold out, like the Opening Ceremony. Victims of this scam get nothing in return and have no way of getting their money back.
Although many of these fake ticketing sites are crudely built and have telltale typos and other errors—a notorious one that scammed English soccer fans out of nearly $500,000 is a great example—some are harder to detect. The pages in the screenshots above and below are particularly dangerous simply in how professional they look, offering few if any red flags to unsuspecting users.
RiskIQ has also observed and blacklisted fake websites that promise to give users an “inside look” at the Rio Olympics only to steal personal information, as well as fake travel booking sites that steal financial data and sites that exploit the concern over the Zika epidemic by offering “safety information” but delivering malware instead.
Threat actors are using the size, complexity, and dynamic nature of the global app store ecosystem to exploit well-known Olympic Games sponsors. In such a complex environment, it’s increasingly difficult for sponsoring organizations to monitor their mobile presence and protect their customers from fraud. Threat actors, realizing this lack of visibility by major sponsors, will create several—if not hundreds—of apps that mimic the original, offering games or other interactive experiences that ask users to provide financial data and other sensitive information. Users are conditioned to grant app permissions to gain access to the content. Shady developers are happy to take advantage of this social conditioning.
Fake mobile apps associated with promotions and sponsorships for the 2016 Games are already appearing in app stores all over the world, tricking more users every day. This deceit degrades the relationship consumers have in the organization and compromises the very trust that sponsorship aims to build. Once published, mobile apps can rapidly proliferate from official stores throughout the app store ecosystem, spreading to new stores and web download locations without the developer’s knowledge or consent.
Even legitimate apps can be compromised, especially if they are not kept up to date. Every major sporting event—from the Super Bowl to the Olympics to the World Cup—leaves a graveyard of event-specific apps in their wake made by sponsors and completely forgotten about by all—except opportunistic threat actors. Eventually, these can be hacked and exploited at the organization’s expense.
A company’s security perimeter is only as strong as its employees. Infected personal devices like mobile phones and laptops are the way in for malware. Companies who have remote employees traveling to the Olympics need to be thinking about security beyond the firewall and take the necessary precautions to avoid the pitfalls mentioned above.
Companies cannot leave it up to employees to protect their devices. There are just too many savvy threat actors out there with the tools and know-how to take advantage of people and wreak havoc on their employers—and eventually the organization’s data. The best way to defend against the growing threat outside the firewall is to discover and monitor your entire attack surface, so you can quickly investigate any threats for rapid response.