Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/1/2019
12:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

How Hackers Could Hit Super Bowl LIII

Security threats and concerns abound for the year's biggest football game. What officials and fans can do about it.

Super Bowl LIII will draw the attention of millions of people around the world – and cybercriminals hoping to exploit attendees and fans before and during the big game.

Major sporting events are hot targets for cyberattacks. Consider the 2018 Winter Olympics, when attackers impersonated a North Korean nation-state group to target the Games and more than 300 associated organizations were hit with a phishing attack. Or the World Cup, when the Wallchart phishing campaign delivered malware under the guise of a game-related email.

The massive audience captivated by major sports games, concerts, political events, and similar large-scale gatherings gives attackers a perfect opportunity to strike. If they're looking to launch a phishing campaign, they have a wealth of potential targets who will click links related to the event. If they want to cause disruption, millions of eyes will be watching when they do.

Unlike the Olympics or World Cup, the Super Bowl is a one-day spectacle, which narrows attackers' window. "I think the primary threat with an event like this is something disruptive in nature – it's a pretty common trend nowadays," says Tom Hegel, director of threat research and analysis for ProtectWise, which runs a network detection and response service often integrated into pop-up SOCs, and which has worked with events similar to the Super Bowl in scale. There is a greater chance of hacktivism during these events, for example, Hegel adds.

In professional leagues, there is precedent of hackers targeting specific teams and their critical data, says Tom Kellermann, chief cybersecurity officer at Carbon Black. Television networks and online gambling sites, especially during the pregame and halftime show, are targets. However, he is most concerned with watering hole attacks, malicious SMS, and destructive attacks on American companies.

"The Super Bowl is a global affair but it represents all that is American," Kellermann says. "Given the heightened state of geopolitical tension and given that most Americans, including cybersecurity professionals, will be watching, the game represents an opportune time to target businesses and consumers throughout the US."

As with most cyberattacks, there is a financial motivation to target the Super Bowl. "There's a huge amount of transactions going on there at the same time," Hegel points out.

Ticket forgery and fake bar codes are also common concerns with these events, adds David Gold, ProtectWise vice president of solutions architecture. People may try to steal press credentials, or those who have credentials may post pictures online showing the bar code.

The Super Bowl brings a long list of security challenges. The stadium's network is overwhelmed with an unusually high number of fans, many of whom may bring infected or poorly secured devices, putting themselves and others at risk. The security team must understand and monitor the network, identify suspicious devices, and detect threats in a chaotic environment.

"The sheer amount of people who come to these events is staggering," says Gold. "Separating the noise from the things you actually care about is very challenging for an event of this scale."

The NFL, which was contacted for this article, declined to discuss Super Bowl cybersecurity issues.

Security: More Than A Metal Detector

Planning and implementing security measures at the Super Bowl is a "big, coordinated effort," Gold emphasizes. The National Football League (NFL), the network security team, and law enforcement are only three of many players involved with ensuring the Super Bowl is secure. Oftentimes organizations like the NFL hire external vendors or academia to help with security: in the past, Gold says, high-profile university programs have gotten involved with the game.

Kickoff is at Atlanta's Mercedes-Benz Stadium, which has a whopping 1,800 wireless access points in the seating bowl and concourse. John Clay, director of global threat communications for Trend Micro, predicts scammers will be nearby to launch fraudulent Wi-Fi networks. "The more technology in these places, the bigger the attack surface becomes," he says.

Threat monitoring is no small feat. "Coordination can be a huge challenge with scanning this stuff," Gold notes. "Getting everything deployed is the biggest challenge. There are a lot of factors, a lot of different groups involved."

The average security operations center uses 50- to 70 different tools – the Super Bowl doesn't have time or resources to install those for one event. They need tech that can be spun up quickly and doesn't require many people to operate. Cloud deployment is helpful here because it lets on-site teams expand to include remote experts, according to Gold.

To tackle security, organizations running major events typically have a SOC on-site with their own analysts and response teams available in case of an incident. Pop-up SOCs ProtectWise has worked with have threat hunters on the ground to triage and respond to alerts. Because its service is cloud-based, there are additional experts on the backend to offer support, help customers respond to unknown activity, provide context on incidents, and generate telemetry reports if needed.

But what are they tracking? Pretty much everything, says Gold. The pop-up SOC monitors endpoints, data, servers, websites, video streaming, rogue access points, point-of-sale systems, and the networks for different groups: teams, media, attendees. Externally they're watching  threat actor groups, the Dark Web, social media platforms.

"You have to think of every single attack vector, and what the risk is of that impacting the event or the game," says Gold. Other potential risks at the game could include card skimmers and keyloggers at stadium ATMs, and malicious USBs installed in device charging stations.

Fans as Targets

The NFL isn't the only one on alert this Super Bowl Sunday – people attending the game, watching online, researching articles, and shopping for merchandise should be wary as well.

"It's not just a game," says Jessica Ortega, website security research analyst with SiteLock. "That's something a lot of fans don't realize – it's a whole tourist attraction, basically, for the week and days leading up to the Super Bowl."

Clay warns fans to heed caution when reading websites and emails related to the game in the days prior. Spam campaigns, phishing attacks, and fraudulent sites may be designed to look like the Super Bowl homepage, ticket sales page, or another related website. Malvertisements may compromise legitimate sites and redirect fans to malicious pages or get them to download content.

"In the last few years, we tend to not see the huge spray-and-pray types of campaigns," he adds. "[Attackers] tend to be more targeted in their approach now." Some may purchase lists of names and email addresses for people interested in sporting events; others will do some OSINT gathering and scan social media looking for team fans they can hit with targeted attacks.

For those fans buying merchandise online, check to make sure the site is legitimate and only purchase from official sellers, says Ortega. There's a lot of SEO spam getting injected into websites, and ecommerce sites selling sports memorabilia being compromised, she notes. To her point, ZeroFox recently discovered nearly 500 advertisements on marketplaces for Super Bowl-related merchandise, many providing minimal information about where the goods came from - a sign they're counterfeit.

"Be aware of what you're looking at, what you're downloading, what you're getting on your phones and all devices," says Clay. "When you're looking at news and want information on the event, be cautious of what you're clicking on or downloading from a website or email message."

Super Bowl attendees planning to pay using their phones at the event should download a VPN to protect their transactions, Ortega notes, and use cash to pay if possible. Fans should also safeguard their tickets, both online and physical, to protect the bar codes from being stolen and resist the urge to post any photos of tickets or game credentials on social media.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/4/2019 | 9:42:56 AM
Great Article!
This was very well written and well received. The cynical side of me would say that a cyber attack would have made yesterday's super bowl more exciting than the game or half-time show provided. 

I noticed that on one of the sports betting apps that is commonly used went down. Not sure yet if it was do to activity/controversy of prop bets or due to a cyber attack. I believe a statement has yet to be released.
t_madison
50%
50%
t_madison,
User Rank: Apprentice
2/18/2019 | 3:28:40 AM
Helpful
And I did not even know about this, thanks for telling me!
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5034
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave Legacy Pairing functionality of Nest Cam IQ Indoor version 4620002. A set of specially crafted weave packets can cause an out of bounds read, resulting in information disclosure. An attacker can send packets to trigger this vuln...
CVE-2019-5035
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted weave packets can brute force a pairing code, resulting in greater Weave access and potentially full device control. An attacker c...
CVE-2019-5036
PUBLISHED: 2019-08-20
An exploitable denial-of-service vulnerability exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packets can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service. An attacker can send a specially cr...
CVE-2019-8103
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8104
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...