Maybe We're Not Ready for Some Football

The latest Storm worm come-on targets fantasy football fanatics. How should enterprises respond?

2:45 PM -- Yesterday, Sophos published a warning to sports fans that use online fantasy sports sites. They are urging fantasy sports fans to "rethink their game strategies, as league profiles could be used for targeted phishing attacks stemming from information posted on these sites."

Less than a month ago, Sophos published a similar warning regarding Facebook users, stating that 41 percent of the users they contacted were willing to give up personal information. This research shouldn't come as a surprise -- online users are simply too trusting.

I regularly joke that outrageous topics "must be true, because I read it on the Internet." Sadly, I'm only half joking, as this seems to be the mindset of so many Internet users. I'm constantly amazed at how trusting users can be with their information on social networking sites such as MySpace and Facebook -- and now, on fantasy sport sites. The risk of phishing and identity theft is certainly increased as users post their information on these sites, making it easier for scammers to target messages to them.

In its warning, Sophos notes that some companies are considering restricting fantasy sports sites, which also isn't a surprise. How many companies are currently blocking time-sapping sites such as eBay and MySpace? Some companies already block ESPN, so fantasy sports sites are simply a natural progression as management tries to find better ways to make employees more productive.

This issue goes beyond scams and loss of productivity, directly affecting the security of company computers and networks. The latest iteration of Storm worm emails target NFL fans by offering a "game ticker" that keeps fans updated on the latest team and game stats.

Sophos's information about the Storm messages is a little misleading. The messages themselves contain enticing subjects like "Do you have your NFL Game List?" and "Are you ready for some football?" The bodies of the messages contain a URL to a Storm worm-infected host that serves up a very convincing page with links to "tracker.exe" or "NFLSeasonTracker.exe."

Unlike previous versions of Storm worm Web pages, the current "NFL" pages do not contain exploit code -- only links to the executables. They rely on users to trustingly download and run the malicious file. This approach doesn't always exploit users immediately, even if they're not fully patched. It relies on users to download and infect themselves.

Working in a university, I have yet to figure out how to dissuade users from falling for these scams -- without implementing draconian measures that simply won't work in higher education environments. Enterprises should have it easier -- but that doesn't mean the users won't load them onto their home machines, which may be able to connect into the company network via a VPN.

If you've come up with a good awareness campaign that doesn't use hand-slapping or worse, let me know. We could all use a little coaching on this one.

— John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading