Super Bowl LIII will draw the attention of millions of people around the world – and cybercriminals hoping to exploit attendees and fans before and during the big game.
Major sporting events are hot targets for cyberattacks. Consider the 2018 Winter Olympics, when attackers impersonated a North Korean nation-state group to target the Games and more than 300 associated organizations were hit with a phishing attack. Or the World Cup, when the Wallchart phishing campaign delivered malware under the guise of a game-related email.
The massive audience captivated by major sports games, concerts, political events, and similar large-scale gatherings gives attackers a perfect opportunity to strike. If they're looking to launch a phishing campaign, they have a wealth of potential targets who will click links related to the event. If they want to cause disruption, millions of eyes will be watching when they do.
Unlike the Olympics or World Cup, the Super Bowl is a one-day spectacle, which narrows attackers' window. "I think the primary threat with an event like this is something disruptive in nature – it's a pretty common trend nowadays," says Tom Hegel, director of threat research and analysis for ProtectWise, which runs a network detection and response service often integrated into pop-up SOCs, and which has worked with events similar to the Super Bowl in scale. There is a greater chance of hacktivism during these events, for example, Hegel adds.
In professional leagues, there is precedent of hackers targeting specific teams and their critical data, says Tom Kellermann, chief cybersecurity officer at Carbon Black. Television networks and online gambling sites, especially during the pregame and halftime show, are targets. However, he is most concerned with watering hole attacks, malicious SMS, and destructive attacks on American companies.
"The Super Bowl is a global affair but it represents all that is American," Kellermann says. "Given the heightened state of geopolitical tension and given that most Americans, including cybersecurity professionals, will be watching, the game represents an opportune time to target businesses and consumers throughout the US."
As with most cyberattacks, there is a financial motivation to target the Super Bowl. "There's a huge amount of transactions going on there at the same time," Hegel points out.
Ticket forgery and fake bar codes are also common concerns with these events, adds David Gold, ProtectWise vice president of solutions architecture. People may try to steal press credentials, or those who have credentials may post pictures online showing the bar code.
The Super Bowl brings a long list of security challenges. The stadium's network is overwhelmed with an unusually high number of fans, many of whom may bring infected or poorly secured devices, putting themselves and others at risk. The security team must understand and monitor the network, identify suspicious devices, and detect threats in a chaotic environment.
"The sheer amount of people who come to these events is staggering," says Gold. "Separating the noise from the things you actually care about is very challenging for an event of this scale."
The NFL, which was contacted for this article, declined to discuss Super Bowl cybersecurity issues.
Security: More Than A Metal Detector
Planning and implementing security measures at the Super Bowl is a "big, coordinated effort," Gold emphasizes. The National Football League (NFL), the network security team, and law enforcement are only three of many players involved with ensuring the Super Bowl is secure. Oftentimes organizations like the NFL hire external vendors or academia to help with security: in the past, Gold says, high-profile university programs have gotten involved with the game.
Kickoff is at Atlanta's Mercedes-Benz Stadium, which has a whopping 1,800 wireless access points in the seating bowl and concourse. John Clay, director of global threat communications for Trend Micro, predicts scammers will be nearby to launch fraudulent Wi-Fi networks. "The more technology in these places, the bigger the attack surface becomes," he says.
Threat monitoring is no small feat. "Coordination can be a huge challenge with scanning this stuff," Gold notes. "Getting everything deployed is the biggest challenge. There are a lot of factors, a lot of different groups involved."
The average security operations center uses 50- to 70 different tools – the Super Bowl doesn't have time or resources to install those for one event. They need tech that can be spun up quickly and doesn't require many people to operate. Cloud deployment is helpful here because it lets on-site teams expand to include remote experts, according to Gold.
To tackle security, organizations running major events typically have a SOC on-site with their own analysts and response teams available in case of an incident. Pop-up SOCs ProtectWise has worked with have threat hunters on the ground to triage and respond to alerts. Because its service is cloud-based, there are additional experts on the backend to offer support, help customers respond to unknown activity, provide context on incidents, and generate telemetry reports if needed.
But what are they tracking? Pretty much everything, says Gold. The pop-up SOC monitors endpoints, data, servers, websites, video streaming, rogue access points, point-of-sale systems, and the networks for different groups: teams, media, attendees. Externally they're watching threat actor groups, the Dark Web, social media platforms.
"You have to think of every single attack vector, and what the risk is of that impacting the event or the game," says Gold. Other potential risks at the game could include card skimmers and keyloggers at stadium ATMs, and malicious USBs installed in device charging stations.
Fans as Targets
The NFL isn't the only one on alert this Super Bowl Sunday – people attending the game, watching online, researching articles, and shopping for merchandise should be wary as well.
"It's not just a game," says Jessica Ortega, website security research analyst with SiteLock. "That's something a lot of fans don't realize – it's a whole tourist attraction, basically, for the week and days leading up to the Super Bowl."
Clay warns fans to heed caution when reading websites and emails related to the game in the days prior. Spam campaigns, phishing attacks, and fraudulent sites may be designed to look like the Super Bowl homepage, ticket sales page, or another related website. Malvertisements may compromise legitimate sites and redirect fans to malicious pages or get them to download content.
"In the last few years, we tend to not see the huge spray-and-pray types of campaigns," he adds. "[Attackers] tend to be more targeted in their approach now." Some may purchase lists of names and email addresses for people interested in sporting events; others will do some OSINT gathering and scan social media looking for team fans they can hit with targeted attacks.
For those fans buying merchandise online, check to make sure the site is legitimate and only purchase from official sellers, says Ortega. There's a lot of SEO spam getting injected into websites, and ecommerce sites selling sports memorabilia being compromised, she notes. To her point, ZeroFox recently discovered nearly 500 advertisements on marketplaces for Super Bowl-related merchandise, many providing minimal information about where the goods came from - a sign they're counterfeit.
"Be aware of what you're looking at, what you're downloading, what you're getting on your phones and all devices," says Clay. "When you're looking at news and want information on the event, be cautious of what you're clicking on or downloading from a website or email message."
Super Bowl attendees planning to pay using their phones at the event should download a VPN to protect their transactions, Ortega notes, and use cash to pay if possible. Fans should also safeguard their tickets, both online and physical, to protect the bar codes from being stolen and resist the urge to post any photos of tickets or game credentials on social media.