Sunday, June 13, 2010

Keep one eye on the ball and the other on the NET!

Cybercrime skyrockets in build up to FIFA World Cup as soccer fans fall victim to bogus websites, on-line fraud, Phishing and spam attacks.

With the FIFA World Cup due to kick-off in just a few weeks time, football fever is beginning to spread across the 32 nations involved in this year’s tournament. With more than 1 billion football fans around the world expected to tune in to cheer on their favorite teams, and tens of thousands of travelling fans, the football World Cup is undisputedly one of the greatest events on the sporting calendar.

This year the tournament will take place in South Africa, the first African nation ever to host the World Cup. In preparation, South Africa has made a number of large investments, including building five new stadiums, improving the public transport infrastructure and implementing special measures to ensure all aspects of safety and security are planned for.

Unfortunately, as with all global sporting events, cybercriminals have been targeting fans in order to gain large profits. With today's ease of purchasing entrance tickets, organized trips or merchandise online, cybercriminals do not have to exert too much effort in reaching their targets. A well-disguised link or website can lead unsuspecting victims to the predator. Filling out contact or credit-card details on bogus websites can easily result in the loss of money or even to identity theft.

As eager football fans desperately scour the internet to secure tickets to their dream match or to book that last hotel room, a plethora of fake websites have sprung up, all of which are more than happy to collect money from unwary fans. To date, FIFA has identified approximately 100 websites in violation globally, with the majority, approximately 32% based in the US, 15% in the UK and 15% in South Africa.

Typically, attackers on the internet have tried and tested methods to defraud victims. These include attempting to compromise legitimate websites to gain sensitive information or sending spam emails or SMS’ to users with the aim of persuading them to follow links to illegitimate websites where personal information is then harvested. Historically, Phishing attacks have skyrocketed around major sporting events; prior to the pervious FIFA World Cup in Germany, related spam increased by around 40% and over 4000 Phishing hosts were discovered every month during the tournament build up.

These shocking statistics are likely to be further exacerbated this year in South Africa as the country launches an expanded broadband network via two new undersea fibre-optic cables. In the past, threat reports have demonstrated that launching these services causes an immediate increased threat level, as cybercriminals take advantage of breaches and vulnerabilities that arise from inadequate security. This has been seen in countries such as Brazil, Turkey, Egypt and Poland, and South Africa is likely to follow this trend once the new infrastructure is in place providing cheaper, faster and widely available broadband services.

Comsec Consulting has experience working with large sporting organizations and those responsible for the organization of major international events to help assess and counter the risks associated with attacks from cybercriminals. With long-standing experience in this area, Comsec believes that three basic types of information attributes need to be protected around global events: Availability, Integrity and Confidentiality.

The availability of information can be compromised through denial-of-service attacks where users are prevented from accessing legitimate websites. These types of attacks are very common around large-scale sporting events, resulting in lost orders for businesses offering goods and services online. These types of attacks are likely to focus on FIFA and World Cup-related websites and may be politically motivated or kudos related. In more extreme circumstances, cybercriminals may attempt to disrupt the broader World Cup infrastructure by targeting physical security systems/CCTV, mobile applications, transportation networks or ticket terminals.

Organizations also need to secure the integrity of their information, particularly confidential information provided by users accessing websites offering services and products relating to the event. Hackers will attempt to gain access to valuable information through compromising user accounts, and they may also be able to reach customer information held in the databases supporting these websites. These types of attacks are likely to be motivated by financial gain as bank and credit card details can be stolen and sold for large sums of money. Organizations must also take measures to protect themselves from the insider threat, as statistically the majority of fraud related incidents can be traced back to an employee.

The information security threats that global sporting events now attract can’t be ignored. Information security consultancy companies, such as Comsec are often drafted in at the early planning stages to ensure that all aspects relating to information security are properly assessed, mapped and tested in preparation for a major event. As any national football coach will tell you, good preparation and planning is the key to success.