There are plenty of things that can spoil the World Cup: injuries, weather, bad calls. But don’t forget hackers.
Recently, the hacker collective known as Anonymous announced that it plans to target World Cup sponsors like Coca-Cola and Adidas in protest over Brazil’s lavish spending on the games at a time when the country struggles with basic needs like law enforcement, sanitation and medicine. But denial-of-service attacks on World Cup-affiliated websites may be the least of fans’ worries - because the world’s most-watched sporting event will also be open season for global online criminals.
Hackers love big news events - whether it’s a tragedy, celebrity gossip or sports. These events draw the attention and interest of consumers, who in turn are more likely to search for it online or open an email that mentions it. And few events have the kind of reach that the World Cup does - with hundreds of millions of people from around the world tuning in. As such, the World Cup is certain to be a huge draw for online scammers, who will deploy a wide array of clever tricks to try to find new victims.
For soccer fans around the world, here are five ways you could be targeted, and how to stay safe:
Phishing. One of the most prevalent types of online scams is email phishing. This attack involves sending a fraudulent or malicious email to an unsuspecting victim from what appears to come from a legitimate authority, such as a bank (or, in this case, FIFA).
The primary objective of these emails is to steal your credit card or bank login information - which they will do either by infecting your computer with spyware, soliciting the information directly, or redirecting you to a fake website that asks for the information. FIFA has already warned soccer fans to watch out for phony World Cup emails offering land investment opportunities in Brazil, as well as fake ticket offers and prizes that look to be sent from FIFA itself. Consumers should also be wary of emailed offers on World Cup merchandise.
Tips to Stay Safe: Don’t open unsolicited or suspicious emails offering deep discounts on World Cup merchandise or other related offers, and definitely don’t click on any embedded links or download attachments. Consider using an email whitelist tool to manage who can send you emails. Don’t do your online banking from the same computer that you use to read emails and surf the Web.
Black Hat SEO. This scam involves hackers planting fake websites in search engine results to trick consumers to visit that website instead of the one they were searching for. These sites will either solicit personal information directly or infect your computer with spyware that steals it later.
Security researchers have already found a number of fake websites set up to look like official FIFA World Cup sites, as well as sponsor and partner websites. Expect to see more of this ‘black hat SEO’ as the games progress - popular search terms, such as game highlights, player injuries, exclusive photos/videos, will attempt to lure victims to fraudulent sites.
These fake sites may appear in the general ‘web’ or ‘news’ search sections of Google, Bing and Yahoo, or,and even more stealthily, they could be loaded into the ‘image’ and ‘video’ results sections which are harder to scrutinize - so watch out.
Tips to Stay Safe: Be careful what you click on when searching the web: Try to avoid suspicious or lesser-known sites. Use a script-blocking browser plugin in your browser to prevent some of these attacks (like NoScript, NotScripts, etc.).
Watering Hole Attacks. In addition to creating fake websites, hackers can also compromise legitimate websites by planting malicious code or malware that will then infect everyone who visits the site afterward. Often, these are smaller, less protected sites (e.g., online discussion forums, fan pages, etc.).
Tips to Stay Safe: Use the script-blocking plugins mentioned above and be scrupulous about visiting amateur websites that may not have proper security in place. Make sure your browser is running the latest security updates.
Social Media Baiting. As the World Cup heats up, social media networks will become inundated with shared posts and links from fans, including news stories, videos, surveys, photo mockups, calls-to-action and more. This is also a perfect venue for scammers.
Like email phishing, hackers use Facebook, Twitter and other social media platforms to spread malware via tiny URL links, photos, videos and fake ‘Likes.’ One of the more popular social media scams is ‘clickjacking’ - when the user thinks they’re clicking on a button or link to do one thing, when in reality it does something else (like steal your credentials, load malware, etc.).
Tips to Stay Safe: Treat social media posts and messages with the same level of scrutiny that you should be doing with email. Remember, any time you click on a link, photo, video, article or button, it could potentially be hiding an attack that will launch against your computer.
Infected Apps. More people are likely to follow this year’s World Cup from their phones and tablets than ever before - and that means scammers have a new way to target them.
Fans who download unofficial FIFA World Cup apps, use Android devices, have jailbroken devices or who download from unofficial app stores are most at risk. What’s so risky about an app, you say? Well, an app requests all sorts of permissions to access content on your phone - some will even try to read your text messages, web browsing, contacts, etc. A malicious mobile app can do a whole host of things potentially, such as steal data from your phone (passwords, contacts, etc.), spy on you, do premium texts/calls without your knowledge, etc. Security researchers already flagged one World Cup Android app that appears to have been taken down by Google: FIFA World Cup 2014 Live Match.
Tips to Stay Safe: Don’t download apps willy-nilly: Do some research before downloading anything to make sure it is legitimate, and only buy well-known apps. Check the permission requests before accepting an app - if it’s asking for too much access to your phone, don’t download it. Also, don’t jailbreak your device or buy from third-party app stores.
It’s important for World Cup fans to remember that today’s cyber criminals aren’t using sloppy 419 Nigerian email scams to con their victims. In many cases, these are highly-organized, professional crime rings that make a lot of money doing what they do. These groups also make and sell professional-grade “crimeware” kits to other criminals on the black market, making it easier for scammers to launch sophisticated, hard-to-spot attacks. Consumers will need to be extra vigilant to avoid falling victim.
Jason Glassberg is co-founder of Casaba, a white hat hacking firm that performs hacking tests and security consulting for major tech brands, banks, retailers, critical infrastructure, government agencies and Fortune 500s.