The 49ers and Kansas City Chiefs aren’t the only ones with a big game to play on February 11th; this year, cybercriminals and cyber defenders will be facing off behind the scenes in a Super Bowl-sized bout of their own.
While the game will be in Vegas, attacks could be pouring in from all over the world; jamming the airwaves, taking advantage of ticket hopefuls, and grabbing every opportunity to use the event’s name and fame to cheat fans out of sensitive information.
Let’s analyze some game film and see what hackers could be cooking up for Super Bowl LVIII. As legendary college football coach Paul “Bear” Bryant said, “It's not the will to win that matters. It's the will to prepare to win that matters.”
The Perfect Target
With a nation full of fans watching, mostly on screens, the NFL playoffs present an almost irresistible target for cyber criminals.
Streaming, Betting, and Apps
Think of all the logins as people try to jump onto any streaming service carrying the big game. Think of all the phishing attempts as pre-game emails pop up promising to take you to the live coverage that much sooner – all you have to do is log in. Whoops, was that the real Paramount Plus? If not, you just got juked out of your credentials (and possibly became the victim of identity theft).
Fans should go directly through the streaming services or apps involved and avoid getting side-tracked by last-minute offers. Also, beware of apps that have popped up seemingly "just in time" for the game. Rely on services you've used with success before, and be especially wary of gambling applications. The Better Business Bureau (BBB) is warning of fraudulent sports betting apps as the playoffs loom just weeks away. Per the BBB, "con artists are pretending to be self-proclaimed handicappers who use insider information to place guaranteed bets on upcoming games."
Imagine what would happen if the network got taken over the mid-halftime show as bad actors spoofed a bomb threat with the whole [football] world watching? Or if one of those clever QR code ads that became the darling of last year's Super Bowl commercials actually led to a malicious website? Hey, if the San Diego Chargers could face off against the 49ers in an improbable '94 playoff bid, anything could happen.
With Super Bowl ad spots going for an average of $7 million, it's no surprise that criminals will try anything to hijack some of that attention and misdirect it if they can. Viewers should be on the lookout for spoofs and try to remain cool-headed in the moment. If you're receiving unsolicited pings from legitimate companies, don't click the link, call the number, or open the attachment (you won't find free tickets). Instead, look up the legitimate company in question and go through the contact information you find on their site if you really have to know.
Physical Systems at Allegiant Stadium
As early as last fall, the NFL started doing tabletop exercises with CISA in preparation for the cybersecurity demands of the big day. More than 100 stakeholders from the stadium, league, and government showed up to run through hypotheticals, including a scenario involving phishing, ransomware, a data breach, a potential insider threat, and possible repercussions on physical systems.
Said NFL Senior Vice President and Chief Security Officer Cathy Lanier, "At the NFL, we understand how important it is to practice as you play, and this week's exercise is the first of many simulations we will conduct prior to Super Bowl LVIII." It's clear that not only the fans will be targeted on that day, as the 65,000-seat facility prepares for any number of mishaps by any one of its 6,000 employees. When you factor in all league affiliates, reporters, and city and state officials with a hand in this event, you see how wide the attack surface spreads and how important it is to keep a tight formation, stick to the plan, and execute security plays with precision.
The Final Huddle
Anticipating the cyber scenarios we could face on game day allows us to craft the plays that will scramble the opposing defense. While the field might be different, the strategy is essentially the same:
- Go straight to the source and avoid engaging with unsolicited [Super Bowl-related] emails, even from companies you trust. Those are the most likely to be impersonated by hackers.
- Be wary of betting apps, last-minute offers, or quick links to watch the game. Stick with the services you already know and the login methods you're used to.
- Involved affiliates should run pre-game security plays now, keeping a tight eye on phishing, ransomware, and possible insider threat schemes. With human error involved in 74% of all data breaches, communicating security best practices with your team beforehand will be critical in avoiding mistakes.
The team to make it into the history books might still be undetermined, but with a little bit of strategy and preparation, we can at least predict one clear winner on February 11th – us.
Know how to sidestep even more Super Bowl fraud? Check out our blog on Common Social Media Scams and How to Avoid Them.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.