Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

London 2012 Olympics Scammers Seek Malicious Gold

Expect escalating levels of malware, fake mobile apps, and online scams in the lead-up to this summer's Olympics, warns the Department of Homeland Security.

Defense Tech: 20 War-Fighting Innovations
Military Transformers: 20 Innovative Defense Technologies
(click image for larger view and for slideshow)
As the start of the Summer Olympics on July 27 in London nears, malware creators continue to try to cash in--using fake mobile apps, online scams, Olympics-themed malware, and even search engine optimization attacks.

That warning comes by way of the recently released "Strategic Outlook: 2012 Summer Olympic Games" report from the Department of Homeland Security's National Cybersecurity and Communications Integration Center. The guide was assembled in conjunction with multiple agencies--at home and abroad--including the U.S. Computer Emergency Readiness Team (US-CERT).

Scams--including many "lottery notifications"--related to the London Summer Olympics date back to at least 2008, according to security vendor Trend Micro. Since then, however, more attackers have begun referencing the Olympics, hoping to trick people into downloading malicious screensavers or opening malicious files.

One recent spam attack, for example, arrives with a malicious attachment titled "Early Check-In 2012 Olympics.doc." Currently, only one-third of virus scanners appear to be blocking the file, which is really a Trojan dropper application used "to deliver an enclosed payload onto a destination host computer," according to Symantec.

[ Want to stop hackers from stealing sensitive data about your users? Consider 7 Lessons From MilitarySingles.com Hack. ]

DHS has also seen an increasing number of attacks using search engine optimization (SEO) poisoning techniques. "Criminals will promote malicious sites with search engine results to distribute malware to victim systems. The most prevalent type of malware distributed through this type of attack is rogueware or fake antivirus, which tricks users into purchasing fake security software," it said. Meanwhile, with Yahoo regularly being the top site to which people go for online Olympics coverage, DHS warned that "it is probable that criminals will target Yahoo for SEO poisoning in an effort to infect the maximum number of systems across the globe."

Another concern will be fake mobile applications, especially with numerous businesses--including the BBC, NBC, Samsung, as well as Visa--launching new applications for the Summer Olympics. "The development and deployment of 2012 Olympics-related mobile applications will be the largest of any previous Olympics," according to the DHS advisory. "Criminals will probably capitalize on this trend and launch fake Olympics-related applications in mobile marketplaces to steal financial and personal information."

To help block attacks, DHS recommended that businesses and organizations monitor all network traffic for signs that they've been breached and log all unsuccessful incoming-email attempts to help identify when a phishing attack is underway. Notably, attackers will typically guess the combination of first and last name used to create internal email addresses. Accordingly, watch for any incoming messages aimed at combinations that aren't used by the organization.

"This is probably the first sign your organization may be targeted," according to the DHS advisory. "By reviewing logs shortly after trigger events, it is possible to learn whether attempts are being made and thus new rule sets can be created to block the sender and alert the individual they are being targeted. Also, if it is determined an attack against an individual or group is possibly occurring, notify the individual or group to be more aware of the threat."

While attention is now focused on the 2012 Summer Olympics, DHS noted that attacks related to the 2014 Winter Olympics, set to be hosted in Sochi, Russia, have already begun. In particular, the Anonymous Kavkaz group (a.k.a. Adiga Hackers)--based in the country's North Caucasus region--have launched "Operation Blackhole" to target the Winter Olympics website as well as the website of Russian mobile phone operator and Olympics sponsor MegaFon.

According to the DHS advisory, Anonymous Kavkaz believes that "the Olympic complex is being built upon mass graves from the Circassian genocide," which occurred in the 19th century. The group has already claimed to have taken down the public websites of Russian president Vladimir Putin and the Kremlin, as well as the Russian Commercial Bank.

"This is the first time Russia has hosted the Olympics (the 1980 Olympic Games were held in the USSR) and officials are actively monitoring the region for any indication of unrest," according to DHS. "Russia has recently deployed military forces to the North Caucasus as part of a broader effort to stabilize the region in the lead-up to the 2014 Olympics."

Interestingly, these aren't the first online attacks related to the 2014 Winter Olympics. In late 2010, the websites of multiple news outlets in Sochi were targeted by online attackers in retaliation for their criticism of proposed Olympics construction being situated near UNESCO-protected sites. According to the DHS advisory, "it is unknown who perpetrated this series of attacks, but their choice of targets indicates the attacker was possibly attempting to subdue opposition." In other words, the Russian government, or people working with the government, appear to have launched the attacks.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27225
PUBLISHED: 2021-03-01
In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.