Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12:00 PM
Connect Directly

How Hackers Could Hit Super Bowl LIII

Security threats and concerns abound for the year's biggest football game. What officials and fans can do about it.

Super Bowl LIII will draw the attention of millions of people around the world – and cybercriminals hoping to exploit attendees and fans before and during the big game.

Major sporting events are hot targets for cyberattacks. Consider the 2018 Winter Olympics, when attackers impersonated a North Korean nation-state group to target the Games and more than 300 associated organizations were hit with a phishing attack. Or the World Cup, when the Wallchart phishing campaign delivered malware under the guise of a game-related email.

The massive audience captivated by major sports games, concerts, political events, and similar large-scale gatherings gives attackers a perfect opportunity to strike. If they're looking to launch a phishing campaign, they have a wealth of potential targets who will click links related to the event. If they want to cause disruption, millions of eyes will be watching when they do.

Unlike the Olympics or World Cup, the Super Bowl is a one-day spectacle, which narrows attackers' window. "I think the primary threat with an event like this is something disruptive in nature – it's a pretty common trend nowadays," says Tom Hegel, director of threat research and analysis for ProtectWise, which runs a network detection and response service often integrated into pop-up SOCs, and which has worked with events similar to the Super Bowl in scale. There is a greater chance of hacktivism during these events, for example, Hegel adds.

In professional leagues, there is precedent of hackers targeting specific teams and their critical data, says Tom Kellermann, chief cybersecurity officer at Carbon Black. Television networks and online gambling sites, especially during the pregame and halftime show, are targets. However, he is most concerned with watering hole attacks, malicious SMS, and destructive attacks on American companies.

"The Super Bowl is a global affair but it represents all that is American," Kellermann says. "Given the heightened state of geopolitical tension and given that most Americans, including cybersecurity professionals, will be watching, the game represents an opportune time to target businesses and consumers throughout the US."

As with most cyberattacks, there is a financial motivation to target the Super Bowl. "There's a huge amount of transactions going on there at the same time," Hegel points out.

Ticket forgery and fake bar codes are also common concerns with these events, adds David Gold, ProtectWise vice president of solutions architecture. People may try to steal press credentials, or those who have credentials may post pictures online showing the bar code.

The Super Bowl brings a long list of security challenges. The stadium's network is overwhelmed with an unusually high number of fans, many of whom may bring infected or poorly secured devices, putting themselves and others at risk. The security team must understand and monitor the network, identify suspicious devices, and detect threats in a chaotic environment.

"The sheer amount of people who come to these events is staggering," says Gold. "Separating the noise from the things you actually care about is very challenging for an event of this scale."

The NFL, which was contacted for this article, declined to discuss Super Bowl cybersecurity issues.

Security: More Than A Metal Detector

Planning and implementing security measures at the Super Bowl is a "big, coordinated effort," Gold emphasizes. The National Football League (NFL), the network security team, and law enforcement are only three of many players involved with ensuring the Super Bowl is secure. Oftentimes organizations like the NFL hire external vendors or academia to help with security: in the past, Gold says, high-profile university programs have gotten involved with the game.

Kickoff is at Atlanta's Mercedes-Benz Stadium, which has a whopping 1,800 wireless access points in the seating bowl and concourse. John Clay, director of global threat communications for Trend Micro, predicts scammers will be nearby to launch fraudulent Wi-Fi networks. "The more technology in these places, the bigger the attack surface becomes," he says.

Threat monitoring is no small feat. "Coordination can be a huge challenge with scanning this stuff," Gold notes. "Getting everything deployed is the biggest challenge. There are a lot of factors, a lot of different groups involved."

The average security operations center uses 50- to 70 different tools – the Super Bowl doesn't have time or resources to install those for one event. They need tech that can be spun up quickly and doesn't require many people to operate. Cloud deployment is helpful here because it lets on-site teams expand to include remote experts, according to Gold.

To tackle security, organizations running major events typically have a SOC on-site with their own analysts and response teams available in case of an incident. Pop-up SOCs ProtectWise has worked with have threat hunters on the ground to triage and respond to alerts. Because its service is cloud-based, there are additional experts on the backend to offer support, help customers respond to unknown activity, provide context on incidents, and generate telemetry reports if needed.

But what are they tracking? Pretty much everything, says Gold. The pop-up SOC monitors endpoints, data, servers, websites, video streaming, rogue access points, point-of-sale systems, and the networks for different groups: teams, media, attendees. Externally they're watching  threat actor groups, the Dark Web, social media platforms.

"You have to think of every single attack vector, and what the risk is of that impacting the event or the game," says Gold. Other potential risks at the game could include card skimmers and keyloggers at stadium ATMs, and malicious USBs installed in device charging stations.

Fans as Targets

The NFL isn't the only one on alert this Super Bowl Sunday – people attending the game, watching online, researching articles, and shopping for merchandise should be wary as well.

"It's not just a game," says Jessica Ortega, website security research analyst with SiteLock. "That's something a lot of fans don't realize – it's a whole tourist attraction, basically, for the week and days leading up to the Super Bowl."

Clay warns fans to heed caution when reading websites and emails related to the game in the days prior. Spam campaigns, phishing attacks, and fraudulent sites may be designed to look like the Super Bowl homepage, ticket sales page, or another related website. Malvertisements may compromise legitimate sites and redirect fans to malicious pages or get them to download content.

"In the last few years, we tend to not see the huge spray-and-pray types of campaigns," he adds. "[Attackers] tend to be more targeted in their approach now." Some may purchase lists of names and email addresses for people interested in sporting events; others will do some OSINT gathering and scan social media looking for team fans they can hit with targeted attacks.

For those fans buying merchandise online, check to make sure the site is legitimate and only purchase from official sellers, says Ortega. There's a lot of SEO spam getting injected into websites, and ecommerce sites selling sports memorabilia being compromised, she notes. To her point, ZeroFox recently discovered nearly 500 advertisements on marketplaces for Super Bowl-related merchandise, many providing minimal information about where the goods came from - a sign they're counterfeit.

"Be aware of what you're looking at, what you're downloading, what you're getting on your phones and all devices," says Clay. "When you're looking at news and want information on the event, be cautious of what you're clicking on or downloading from a website or email message."

Super Bowl attendees planning to pay using their phones at the event should download a VPN to protect their transactions, Ortega notes, and use cash to pay if possible. Fans should also safeguard their tickets, both online and physical, to protect the bar codes from being stolen and resist the urge to post any photos of tickets or game credentials on social media.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/18/2019 | 3:28:40 AM
And I did not even know about this, thanks for telling me!
User Rank: Ninja
2/4/2019 | 9:42:56 AM
Great Article!
This was very well written and well received. The cynical side of me would say that a cyber attack would have made yesterday's super bowl more exciting than the game or half-time show provided. 

I noticed that on one of the sports betting apps that is commonly used went down. Not sure yet if it was do to activity/controversy of prop bets or due to a cyber attack. I believe a statement has yet to be released.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-30
The package pimcore/pimcore from 6.7.2 and before 6.8.3 are vulnerable to SQL Injection in data classification functionality in ClassificationstoreController. This can be exploited by sending a specifically-crafted input in the relationIds parameter as demonstrated by the following request: http://v...
PUBLISHED: 2020-10-30
This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vu...
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains a race condition vulnerability in the Web Threat Protection Blocklist component, that if exploited, could allow an attacker to case a kernel panic or crash. An attacker must first obtain the ability to execute high-privileged code on the targ...
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains an Error Message Information Disclosure vulnerability that if exploited, could allow kernel pointers and debug messages to leak to userland. An attacker must first obtain the ability to execute high-privi...
PUBLISHED: 2020-10-29
Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user’s session by stealing cookies which means that a malicious hacker can change the logged-in user’s pass...