When I was first asked to write a blog about the UEFA EURO 2020 Championship, I immediately imagined going through a detailed analysis of the participating teams and an educated prediction of the course of this tournament. While that’s not going to happen today, this blog will discuss the potential cyber threats to this competition—one of the first major international sporting events to occur since the COVID-19 pandemic. As you may imagine, these differences have slightly altered the threat landscape of this event. Let’s see in more detail what that’s going to look like.

Cyber Threats to EURO 2020

Major sporting events like the UEFA EURO 2020 are typically at risk of an array of potential threats that shouldn’t be overlooked when painting its threat landscape. Here are some of the most likely events that we may observe:

  • Ransomware. The high-profile nature of EURO 2020 makes this event an attractive opportunity for cybercriminals, given that little downtime can be afforded by organizers and sponsors during the event. Consequently, if ransomware gangs were to successfully encrypt one of the tournament’s key partners’ networks, they would have sufficient leverage to request a high ransom and a good chance of receiving that payment too. Call that a perfect scenario for these cybercriminals. Surprise, surprise, the threat posed by ransomware actors continues to be high. 

Recently, we’ve observed ransomware actors becoming bolder and bolder with their tactics and communication strategies. For example, while RagnarLocker turned to Facebook ads, Conti and Ryuk have been cold calling victims to pressure them into paying. Therefore, it is realistically possible that ransomware gangs will keep using innovative extortion methods throughout the competition to ensure a steady revenue stream. Cybercriminals have already demonstrated endless times that they’re perfectly capable of exploiting situations where massive audiences are focused on a singular event— we wouldn’t be surprised if that was the case again.

  • Phishing. Phishing campaigns targeting events that attract heightened attention from big audiences are nothing new. Whenever the attention of a multitude of people is focused on a singular event, phishing campaigns are typically one of the first attack vectors used by cybercriminals to try and extract some value out of it—whether that is in the form of personally identifiable information (PII) or financial data. Using immediately recognizable branding and slogan linked to EURO 2020, cybercriminals can elicit a strong response from the email recipients and thus convince them to open malicious links to an impersonating domain or attachment.

In the case of EURO 2020, phishing campaigns are likely to exploit hot topics like ticket reselling, match organization, and fan-engaging events. Given that the championship will be hosted in 12 different countries, cybercriminals may have greater opportunities for phishing against host countries and fans attending the event with a broad array of lures.

UEFA impersonating domains can serve as a hotbed for phishing activity
  • Malware. Does “OlympicDestroyer” ring a bell to any of you? As you may remember, during the 2018 Winter Olympics inaugural ceremony, a cyber attack that deployed malware known as “OlympicDestroyer” crashed the organization’s IT systems, wreaking havoc on public Wi-Fi, ticket printing, and the Winter Olympics’ website. This story is fascinating in terms of capabilities, damages, and attribution, and I could not recommend more listening to this Darknet Diaries episode for a thorough recap of it. 

Hopefully, the EURO 2020 inaugural match won’t be disrupted in the same way—Italy is playing against Turkey in the Stadio Olimpico in Rome, and I couldn’t be more excited about it. However,  OlympicDestroyer  serves as a great example that when so many networks and devices are connected, there is a heightened level of risk.

  • Hacktivism. The threat posed by hacktivism has slowly diminished in the past two years. However, whenever events with international media coverage are set to happen, these groups may resurface  to raise awareness on their agenda or damage the reputation of companies actively involved in the event. That being said, Photon Research hasn’t identified any potential hacktivist campaigns toward EURO 2020 yet.

Fraud and financial crime. Previous major sporting events have seen a variety of tactics that exploit the large number of tourists that visit host cities. Clearly, that might not be the case this time due to travel restrictions across the hosting countries. However, ATM skimming, banking scams and infections against point of sale malware used to steal payment card information may still appear throughout the competition to target locals and those few tourists. In addition to this, fraud-related threat actors may leverage EURO 2020’s brand to profit from counterfeit tickets, merchandise, and streaming services.

Threat Actors get creative with fraudulent services advertised on messaging apps

COVID-19’s impact on the EURO 2020 threat landscape

Although the threat landscape surrounding the rescheduled EURO 2020 has not shifted drastically since last year, it will be interesting to observe how COVID-19 may impact the upcoming football championship. The main effect of the pandemic on the EURO 2020’s threat landscape will probably be phishing campaigns. As we’ve discussed many times, these campaigns exploit contextual circumstances and pressing times to typically manipulate victims into giving up credentials, clicking on infected links, and downloading malicious documents. 

And what’s better for this purpose than the chaos generated by the pandemic? Most European countries are now slowly easing their COVID-19 restrictions thanks to the positive impact of national vaccination schemes. While this is welcomed progress, cybercriminals may exploit these updates for delivering malicious email campaigns to football supporters and tourists. Additionally, this year’s edition will also witness a reduced amount of tickets available for fans which, on the other hand, significantly expands the demand for them. We’d not be surprised if we saw emerging details about these sorts of malicious campaigns in the coming weeks.

Mitigations to Euro 2020 Cyberthreats 

Understanding the motivations and tactics of the adversaries in your threat model can significantly expand the robustness of your security measures. Additionally, the following mitigation techniques can help limit the impact of any malicious activity that may occur throughout Euro 2020 (and beyond):

  • Update and patch. First and foremost, organizations should make sure their firmware and OS systems are updated with the latest patches ahead of the beginning of the event. Leveraging software to detect, identify and prioritize vulnerabilities can relieve this process.  
  • Be wary of scams and phishing emails. Do not click on any links in emails marketing or referencing the event. UEFA will never be launching an email marketing campaign with “FREE TICKETS!!1!” as the header, nor will you ever find the truth behind sensational titles that urge you to “CLICK HERE” to discover why the next game is rigged.
  • Use legitimate app stores. Make sure you only initiate legitimate sites such as the Apple and Google stores when downloading applications. Also, ensure you review security and access permissions granted to these programs. 
  • Be vigilant when using ATMs in-country. Look out for evidence of machine tampering: some skimming devices can be spotted by a quick wiggle of the card reader or through visible marks on the PIN code area. To help lessen the impact of Point of Sale malware and ATM skimming, alternative payment methods like chip and pin, pre-paid, and pre-capped cards should be considered.
  • Avoid untrusted networks. Corporate users should use Virtual Private Network (VPN) tunneling when connecting to company networks and corporate accounts, especially on public Wi-Fi. Multi-Factor authentication can also help combat successful account compromises.

Digital Shadows (now ReliaQuest) has been tracking the impact of cyber threats on main sporting events since 2014. Some of the most popular blogs published in this area include an assessment of the LI Super Bowl, the threats to the 2018 football World Cup, and the 2018 Winter Olympics threat landscape.

If you’d like to assess your organization’s risk exposure across the open, deep, dark web and technical sources, get a customized demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. You’ll get visibility into any impersonating domains or phishing schemes targeting your company’s name and brands, exposed data or PII, and reducing your attack surface online.