Another year, another Super Bowl. Amidst a global pandemic, this year’s game will most certainly look different with limited attendance and cardboard cutouts to replace thousands of in person fans. As with every year, the organizers of Super Bowl LV have worked hard to ensure that the game itself and the events surrounding it remain safe and secure, from a health perspective and a security perspective. This includes increased cybersecurity efforts as we’ve seen in previous years to combat a growing number of Super Bowl scams and other cyber threats. As with other notable public events, the Super Bowl continues to provide opportunities for bad actors looking to make a quick buck off of fake ticket sales or looking to steal information from an unsuspecting football fan.
Top Cyber Risks to be Aware Of
In recent years, the Super Bowl has greatly increased security measures both on premise as well as cybersecurity. In addition to regular stadium IT operations, additional on-site and remote pop-up security operation centers (SOCs) are typically activated that are comprised of law enforcement, key technology partners, and private security firms and are staffed with hundreds of threat hunters, analysts, and incident responders scoping the traffic of various points of critical infrastructure. This combined review of centralized data and traffic mitigates much of the risk of the additional electronic transactions resulting from the cashless system this year.
Even with these added security measures for the event itself, there are still several risks that attendees, viewers and businesses alike should be aware of leading into Sunday’s event. From ticket scams to fraudulent mobile apps, in this post we’ll review the top risks to be aware of.
Social Media Risks
The most notable cyber-attacks related to major sporting events often involve account takeover activity or data harvesting from social media. There have been recent attacks on gambling sites focused on stealing user data, although it is not yet known how that stolen data will ultimately be used. Many gambling sites also now use cryptocurrencies as their primary payment method, which are significantly less regulated and have a much smaller chance of being recovered if stolen.
Additionally, social media may be scraped as open source intelligence for attacker reconnaissance. Collected data can be used for a number of attack vectors, including leverage for targeted phishing schemes, search engine optimization attacks, and watering hole lures. They can be tracked for use in financial targeting of high-profile personnel, such as executives or celebrities advertising their attendance at Super Bowl LV. They can also be leveraged for less technical attacks by simply alerting physical attackers and thieves that someone in an area will be out of town attending Super Bowl LV events.
In addition to social media risks, identity theft is a threat for attendees of the Super Bowl. Increased tourism will occur during the week of Super Bowl-related events, and retailers will use cashless systems to conduct payment transactions. Tourists can unintentionally expose personally identifiable information, geographic location, or ticket and barcode information when posting pictures and videos on social media. These images reveal information about the poster and can be used by attackers to facilitate nefarious activity. Attendees must also use caution when sharing information on social media accounts during the Super Bowl.
Phishing and Super Bowl Scams
The Super Bowl generates a high level of interest for fans and corporate sponsors providing services for the game. These sponsorships come with the possibility of credential theft through phishing scams abusing corporate brands. Threat actors can capitalize on Super Bowl LV by launching phishing websites that impersonate the NFL or sponsors’ logos. Ticket-themed scams are lucrative for threat actors to exploit, given that Super Bowl ticket prices are considerably higher than regular NFL game tickets.
Phishers can impersonate ticket-selling websites that claim to sell Super Bowl LV tickets but instead steal financial credentials from victims, who believe the phish is coming from a legitimate retailer. Although event coordinators encourage fans to buy Super Bowl LV tickets via the NFL’s website or authorized sellers only, some may choose to purchase tickets from a secondary marketplace. These secondary avenues may sell counterfeit tickets or steal credit card information from buyers.
Unlike previous Super Bowl games, this year the NFL is selling mobile tickets in order to comply with COVID-19 prevention guidelines. Fans who choose to buy scalped tickets may receive fake paper tickets or electronic tickets with invalid barcode data. In the past, paper Super Bowl tickets included distinct features like raised lettering, blacklight text, and heat-sensitive ink to verify the ticket’s legitimacy and prevent duplication. The shift to mobile tickets offers digital protection that makes them considerably more secure than paper tickets but requires buyers to exercise caution when purchasing tickets from secondary digital marketplaces to avoid Super Bowl scams and counterfeits.
A Cashless Super Bowl Opens the Door for Rogue Mobile Applications
Both the Super Bowl Experience attraction and the game day activities are designed to be as cashless as possible—a measure the NFL had already been considering pre-pandemic but became high priority due to COVID-19 restrictions. While this change somewhat reduces the physical threat caused by carrying cash, it increases the attack surface for other point-of-sale threats. The NFL will require all visitors to use credit cards when purchasing retail items and concessions. Some vendors will even provide mobile ordering options for efficient transactions and limited physical contact. Vendors may require customers to use mobile applications or scannable QR codes to place orders for concessions and retail. However, the push for a mobile experience during the Super Bowl introduces concerns over rogue mobile applications.
Rogue mobile applications are often unregulated and obtained through third-party app stores. Official applications used in accordance with the Super Bowl LV are available for download via the Apple App Store for iOS devices and the Google App Store for Android devices. Mobile applications for NFL, ESPN, CBS Sports, and Fox Sports will experience high volume activity during Super Bowl Sunday as fans stream content throughout the event. Apps hosted on third-party app stores often contain flawed or outdated software that is susceptible to malware attacks or has other known vulnerabilities. For example, searching for ESPN on a third-party Android-based app store displays what appears to be a genuine ESPN app, but the app store provides the option to download older versions of the app, which may contain exploitable vulnerabilities.
Rogue mobile apps may also pose a threat to Super Bowl fans attempting to stream the game for free or to bypass restrictions on legitimate applications. To mitigate the risk of cyber threats, Super Bowl attendees and fans must use caution when downloading unverified apps, using services that are not authorized by the NFL, and supporting sponsors.
The Human Factor
In the target-rich Super Bowl cybersecurity landscape, the biggest threat is the human factor. Individuals loosening their security mindfulness while on vacation—being freer with their money and less vigilant while they enjoy themselves—are prime marks for any criminal enterprise. Normally security-conscientious individuals may be tempted into risky behaviors in unfamiliar networks or applications. In their excitement, Super Bowl attendees may be more prone to open an unsolicited email under the assumption that it was triggered by their browsing or related purchases. Unexpected credit card charges may be written off to simply not remembering, or an unusually large bar tab may just be taken in stride.
The excitement to get settled or get network access quickly in an unfamiliar region could result in failing to demonstrate the diligence to ensure connectivity to a legitimate wireless network. There is a tremendous cyber-attack surface exposed during a major event like Super Bowl LV, but there are also equally significant mitigation strategies in place. A modicum of caution and a willingness to be vigilant can go a long way. As a rule, attackers focus on the easiest mark, the lowest hanging fruit, or the lowest effort task with the greatest return—and in most cases, that weakest link is the Human Factor.
Whether you’re watching in person or from the couch, be mindful of these cyber risks and Super Bowl scams and protect yourself and your business online. Learn more about our finished threat intelligence reports to access risk assessments like the one outlined in this blog here.