Like any major event, Super Bowl LI brings with it the heightened risk of malicious cyber activity. The lead up to last year’s game was dominated by security concerns over cyber attacks given the abundance of fiber optic cables in and around the San Francisco 49ers’ stadium, the venue for Super Bowl L.
Although we have yet to detect any audible calls to target the 2017 event being held at the NRG Stadium in Houston, we can look back at previous Super Bowl activity, as well as wider comparisons to other major sporting events that we have monitored for an indication of the type of threats that may come to pass this year.
Touchdown or Tangodown?
Previous large-scale sporting events such as the 2014 World Cup in Brazil or the 2016 Rio Olympics were beset by hacktivist activity. In Rio we saw a large number of data leaks and denial of service (DoS) attacks. More recently, the African Cup of Nations football tournament experienced two separate DoS attacks, one against the event website itself, while the other successfully disrupted the website of the event’s main sponsor, the French multinational oil and gas company Total. In this case the hacktivists were participating in the OpGabon campaign, which was purportedly established in 2013 to denounce killings conducted for political gain by the current president Ali Bongo.
While no dedicated campaign against the Super Bowl has surfaced among the hacktivist community, there always exists the possibility that hacktivists will use the global platform of major sporting events as an opportunity to further their ideological goal. Anonymous affiliated actors have already promoted the OpSafeWinter campaign, with one Anonymous actor calling on support for Houston’s homelessness efforts ahead of Super Bowl LI. Moreover, a small community of activists have called for a boycott of this year’s game on the grounds of allegedly restrictive laws passed affecting women’s health in Texas. While neither have been connected to a hacktivist campaign, the point being stressed is that hacktivist actors can at any point leverage a highly publicized spectacle to highlight specific local (or even national) grievances.
Figure 1: OpSafeWinter campaign material disseminated via Twitter
Fake Mobile Apps and Phishing Attacks
Sponsors and organizers are not the only ones at risk, fans and even television broadcasters also have reasons to fear for their online safety. Phishing emails such as this one (below) identified by SANS were used in 2015 to infect victims with credential harvesting malware. Fake apps innocently downloaded by attendees can also be used to hide and distribute malware live during the game.
Figure 2: Phishing email using Super Bowl lure to deliver malware [Source: isc.sans.edu]
Unsurprisingly, the high demand for tickets opens the gate for ticketing scams. While some sellers will attempt to sell their tickets for extortionate prices, attendees should also beware of sellers who may never come through on their promises. We recently detected the following seller offering Super Bowl ticket packages on two dark web marketplaces. While we could not verify whether the tickets were legitimate, a closer look at the seller’s other online offerings should drive prospective buyers elsewhere. Those still looking for tickets are advised to use trusted ticket merchants, and remember that it’s easy for scammers to set up legitimate-looking sites using techniques such as typo-squatting.
Figure 3: Dark web marketplace seller offering Super Bowl tickets
Figure 4: Other great offers by this seller, including fake IDs, tickets and malware tools
Point of Sale Interceptions
With hundreds of thousands of fans expected to rush to the Houston area this week, cybercriminals will likely look to pocket out of the increased number of transactions being made at ATM machines and local stores, hotels and restaurants using point of sale (PoS) software. Only last week it was revealed that customers who used their debit or credit cards at Houston area Popeye’s restaurants were at risk of data theft, after malware was identified in the computer systems at seven locations. Though these potential breaches occurred in mid-2016, we can expect credit card fraud to increase in the week leading up to the Super Bowl.
Assessing the Field of Play
Overall, we can group the potential threats into those affecting businesses and those that target supporters:
While explicit hacktivist campaigns or evidence of targeted malware has yet to materialize, by anticipating some of the potential threats associated with an event of this scale, sponsors and fans can better tackle all eventualities. Digital Shadows (now ReliaQuest) will be monitoring these developments as kick off approaches in case the attackers decide to call the blitz.