Establishing Digital Trust: Don't Sacrifice Security for Convenience
In response to the start of the 2014 FIFA World Cup in Brazil, hackers have attacked dozens of websites to protest the money being diverted to the tournament. Members of Anonymous recently took down the websites of the Military Police of Sao Paulo, Brazil's Department of Justice, Hyundai and the Emirates Group, among many others.
"We had a busy last few days and there is more still to come," hacker Che Commodore told Reuters. "Companies and institutions that work with a government that denies the basic rights of its people in order to promote a private, exclusive and corrupt sports event will be targeted."
Still, it's not just companies that should be concerned about cyber threats; millions of soccer fans are also at risk from malware, phishing and more.
Kaspersky researchers say they're detecting about 50-60 new well-designed World Cup phishing domains each day, as well personalized emails that claim the recipient has won free tickets to a match. "If you are planning to travel to Brazil for the World Cup or following it online, be secure -- don’t trust any messages you receive, and double-check before clicking links," the researchers write.
Trend Micro has released a video explaining how to avoid being taken in by phishing scams connected to the World Cup. Among their advice: Watch for misspelled links, avoid unsecured connections, and don't fill out forms that request too much information.
"Cyber criminals know how to get what they want," the video states. "They'll set up traps that are sure to lure you in. They use big events, holidays, news, or anything that'll get your attention as bait. ... They'll promise you the world in exchange for your information."
Trend Micro researchers recently came across literally hundreds of different malicious World Cup-themed mobile apps. Several of them are in the Android.OpFake family, offering clones of popular apps that subscribe the user to premium services and leak user data. Others are in the SMSStealer family, which can send premium SMS messages, conceal incoming messages and install malware.
"Some football betting apps have also been found leaking information without user notification, as well as blatant security risks in their micropayment process," the researchers write. "We advise users to be very careful with their financial and personal information when using these apps (or not to use them at all)."
Kaspersky researchers also warn of the risks of connecting to unsecured Wi-Fi networks. In a recent study of Wi-Fi access in Sao Paulo, Brazil, the researchers found that 26 percent of the access points they detected were completely open, without any encryption.
"These open networks usually offer free Internet access, so they are very popular among visitors," the researchers write. But any data you transmit via an open network is transmitted in clear text, allowing an attacker on the same network to read it as easily as you could on your own screen.
Attackers can also use open Wi-Fi networks to launch man-in-the-middle attacks -- log into your email, social network, or online banking site, and you'll see a popup telling you the SSL certificate is out of date. "Most people automatically accept the proposed new certificate, only to discover it is a malicious ploy to encrypt your traffic and decrypt it again before it reaches its intended destination server," the researchers write.
Bob West, chief trust officer at CipherCloud, suggests keeping the following four tips in mind to protect yourself at and around the World Cup:
Beware the Evil Twin -- "Whether you’re live at the games or watching from a sports bar, watch out for fake Wi-Fi networks disguised as legit ones. ... Avoid this by asking the venue for the name of their network," West says. "Otherwise, connect at your own risk -- anything you send through an evil twin network is accessible to the bad guy."
False Distress Signals -- Watch out for the 'I'm your friend who needs a fast money transfer,' scam. "In the context of the games, this could be a message from a 'friend' who was robbed while at the games and needs your help to get by the next few days or to get a plane ticket home," West says. "Usually, the giveaway is in the details or lack of. Wouldn't your friend at the games come to you in-person instead of email, Facebook or tweet you if you’re there too?"
Don’t Get Greedy -- Don't get fooled by pop-up ads or unfamiliar sites selling cheap tickets or souvenirs. "Sure, someone could have over purchased tickets or had a last minute cancellation," West says. "But what are the odds they’d all show up on one site? Or is it more likely that the tickets and souvenirs are fakes and or the site is just collecting your credit/debit card details so that the thieves can do some real shopping with your money?"
The Golden Rule for Avoiding Cyber Crime -- "If it sounds too good to be true, then red flags should pop up," West says. "It’s the same thing you learned from your parents when dealing with strangers on the street offering you candy if you go with them."