Attackers Have High Hopes for Success Around 2014 World Cup
Similar to the Sochi 2014 Olympics and all other major sporting events before it, the FIFA World Cup 2014 in Brazil is being leveraged by cybercriminals and scammers as a means to lure victims for their attacks.
In recent months, several security vendors have published advisories about the various scams, phishing and malware operations that target Internet users interested in the World Cup. While individuals from all over the world have been targeted, many of the malicious campaigns focus on Brazil and neighboring South American countries.
Malware
Cybercriminals are relying on the FIFA World Cup to trick users into installing malware on their computers. Trend Micro discovered a campaign targeting customers of a Brazilian ticketing website, where the attackers managed to obtain the personal details of the site’s users and sent them fake raffle emails containing links to the BANLOAD banking Trojan.
Trend Micro’s researchers also stumbled upon a BLADABINDI backdoor disguised as a FIFA World Cup streaming application, and a piece of adware (ADW_INSTALLREX) disguised as a key generator for the FIFA 14 video game.
Symantec has also spotted at least two major spam runs used to distribute malware. In one of the campaigns, cybercriminals promise users free tickets to 2014 World Cup in Brazil to lure them into installing a version of the DarkComet remote administration tool (RAT) on their systems. The second operation leverages the reputation of soccer player Neymar da Silva Santos Júnior and relies on a maliciously crafted Word document to deliver malware.
Additionally, researchers from Trustwave’s SpiderLabs spotted a malicious advertisement on the website of Brazilian sports newspaper Lance (lancenet.com.br). According to experts, the attackers abused a zero-day in Adobe Flash Player (CVE-2014-0515) to deliver malware to the site’s visitors.
Mobile users are also being targeted as well, with security firm AVAST reporting that it has come across several suspicious soccer-related apps on Google Play. Some of them are blank applications designed only to display advertisements, while others request a suspiciously large number of permissions when installed.
Jovi Umawing, Malware Intelligence Analyst at Malwarebytes, told SecurityWeek that cybercrooks could also resort to fake mobile apps just like they did during the 2012 Summer Olympics in London.
“Organizers of the event released a game app that allowed users to take part of the said sporting event in a unique way by giving them the chance to play as their favorite players, win competitions, and receive their own digital gold medals,” Umawing explained.
“The criminals packaged their malicious mobile app as the free version of the real thing. It was a Boxer malware, which typically sends SMS messages to premium numbers. We could see a similar malware campaign related to the World Cup, so netizens should be on their guard at all times.”
Phishing
2014 FIFA World Cup phishing websites have been around since 2013. Most of these sites advertise various promotions and contests in which users can allegedly win match tickets, trips to Brazil and other prizes. The catch is that they have to provide personal and financial information to supposedly get the chance to win.
“The most common online threat using FIFA World Cup as bait is phishing. Links to phish sites may come in a spam mail or social media post. We haven’t seen any FIFA mails yet, but we have certainly seen criminals acting on behalf of FIFA organizers and Electronic Arts in social media,” Umawing told SecurityWeek.
Kaspersky Lab highlighted the fact that cybercriminals are leveraging the name of renowned people and organizations to make their schemes appear more legitimate. In May, Kaspersky reported detecting and blocking 50-60 fake Brazilian sites each day.
In addition to spreading malware, Brazilian cybercriminals are acquiring SSL certificates, which they’re using not only for websites, but also to sign Banking Trojans, Kaspersky has warned.
According to Kaspersky, cybercriminals have acquired SSL certificates from certificate authorities like Comodo, EssentialSSL, Starfield and Register.com to gain the trust of potential victims.
“Cybercriminals built professionally looking websites, bought genuine SSL certificates and even paid Google to advertise their sites via Google Ads. Even people who say ‘I don’t go to suspicious websites’ may become an easy victim,” Dmitry Bestuzhev, head of Kaspersky’s Global Research and Analysis Team, Latin America, told SecurityWeek.
Malwarebytes has spotted fake Twitter accounts apparently operated by EA Sports and FIFA for the 2014 FIFA World Cup, with the goal of luring users to EA Sports phishing websites.
“The criminals used imitation Twitter support channels, interjecting themselves into conversations and directing unaware victims to phishing pages. This is the first time we’ve seen scammers do that,” Umawing told SecurityWeek via email.
Scams and spam
Not surprisingly, a large number of phony websites have been created by scammers over the past months. Trend Micro has come across a fake website selling tickets at prices almost 4000% higher than the price on FIFA’s official website.
“[This scam was] particularly interesting as it was set up to work in multiple countries and languages,” Jon Clay, Sr. Manager of Threat Research at Trend Micro, told SecurityWeek. “Multiple domains within different countries were used and were hosted within a major hosting providers infrastructure.”
“Spam and phishing emails are particularly common with spam being used to sell merchandise and phishing to steal credentials. Phishing websites are often used for ticket scams and other items in an effort to steal credit card data. Online ticket scams are also a big option as there are games going on all over the world to take advantage of,” Clay explained.
Hacktivist Attacks
Anonymous hackers in Brazil began protesting against the World Cup more than 6 months ago. The hacktivists are unhappy with the high amounts of money that the Brazilian government spent around the World Cup, which they believe could have been used for more pressing issues that affect citizens.
In addition to targeting Brazilian government websites, hacktivists have threatened companies that sponsor the World Cup, including Coca Cola, Visa, Sony, Adidas, Emirates airlines, Budweiser and McDonald’s.
“Regardless of threat profile, an event of this magnitude must have a heightened level of readiness to a physical or cyber security related event. By the time a group like this makes a public announcement, much of the infiltration phase has already been done. These threat actors are smart and they don’t start to show their cards until they are well into the operational phase of their campaign,” TK Keanini, the CTO of Lancope, told SecurityWeek.
Keanini appears to be right. Individuals involved in the hacktivist operation have told Reuters that they’ve already tested the systems of their targets for vulnerabilities.
“When we consider the World cup and the level of talent competing, it helps us frame the challenges many face in cybersecurity. It is not as much about the technology (the shoes, the ball, etc.), as it is about the game play and talent where as soon as one side makes a mistake, it is exploited by the other team,” Keanini added.
“This is the same thing that happens in cybersecurity and in some cases, the adversaries have an overwhelming advantage in terms of talent. Businesses have to have this gaming frame of mind when they build their cybersecurity practice – it is about the game play, not the technology.”
At least some of the cyberattacks targeting FIFA World Cup 2014 sponsors and partners will likely be distributed denial-of-service (DDoS) attacks.
“Distributed denial of service attacks often come into play in public controversies and protests, and it’s no secret that there is a great deal of controversy surrounding the World Cup in Brazil. At this point, preparation for denial of service attacks should be standard practice for any organization with a large, mission critical presence on the web,” Tom Cross, Lancope director of security research, told SecurityWeek.
“However, every organization with an Internet network can do their part to make sure that they don’t have services running on their network that can be leveraged by attackers for traffic reflection and amplification. DNS servers, NTP servers, SNMP services, Voice of IP Services and XML-RPC ping back services in particular should be checked to make sure that they don’t provide a spring board for denial of service attacks.”
Other threats
Those who plan on visiting Brazil should be careful when making payments with their credit card and when withdrawing money at ATMs. There are a number of ways fraudsters can steal payment card data from World Cup attendees.
First of all, they can do it with the aid of skimming devices installed at ATMs. Brazil has the largest number of ATMs in the world, so fraudsters have plenty to choose from.
Malware can also be used to target banks and their customers. Some threats, also known as “jackpot” malware, are planted on ATMs with USB sticks and enable fraudsters to remove all the money from the machines. Other types of malware, like the “Chupa Cabra malware” (Trojan-Spy.Win32.SPSniffer), are installed on PoS and PIN pad devices and they’re capable of harvesting Track 1 data (credit card number, expiration date, service code and CVV) from the payment cards.
In addition to ATMs and PoS devices, cybercriminals are also targeting wireless Access Points (APs).
“WiFi networks are pretty important for most of travelers since LTE or 3G roaming data is pretty expensive, they just look for any available WiFi network and stop thinking is they are secured or not. Such unknown and open WiFi networks even if they belong to the coffee shops, malls and others are potentially dangerous since the data (network packets) travels unencrypted and maybe intercepted by cybercriminals,” explained Bestuzhev.
Bestuzhev told SecurityWeek that Kaspersky Lab analyzed around 6,000 different APs located in Sao Paulo and found that there is a big risk of becoming a victim to such attacks, as 26% of all networks were completely open, and 12% had weak security that could be broken in a matter of minutes.
Conclusions
The World Cup is a highly anticipated event that creates enormous waves of network traffic all over the world, Sam Glines, CEO of cloud-based threat intelligence solutions provider Norse, told SecurityWeek.
“Criminal organizations love events like this, because targets tend to be numerous and highly concentrated around a few predictable websites (FIFA, broadcasters, etc). Anxiety leading up to the events themselves can lead network managers hastily add capacity with less-than-great security rigor, ironically making some of the most obvious targets easier to hack,” Glines explained.
“Finally the abnormally high Internet traffic can make it tougher for even well-prepared security organizations to recognize and stop data thefts in-progress,” Glines said. “Whether it’s employees streaming the matches on their work laptop, execs buying tickets online to the games themselves, or major sponsors buying billions of banner-ad impressions to propagate their brand, individuals and companies need to be extra careful around this time.”
