Cybersecurity at the World Cup: What You Should Know

Events like the World Cup inspire awe about what teams working together and individuals with determination can accomplish — these events are a time for national pride, excitement and enjoyment.

Enhanced security at these events often focuses on physical security, with increased local police, physical barriers and identification checks. Yet, such measures should not overlook the need for heightened cybersecurity — not only because of the expanded digitization of sports venues but because the very attributes that make these events worthwhile open additional avenues for social engineering.

Malicious actors can prey on fans caught up in the emotion of a match or gain access to and release sensitive information at a moment when the effect would be most acute. Enhancing awareness, implementing preventive measures and eliminating the use of digital devices (where practical) would decrease the level of risk at international sporting competitions.

Three primary groups are particularly at risk during global sporting events:

  • Fans and game attendees, including foreign dignitaries and celebrities
  • Athletes participating in the games and those that support them
  • Sporting venues, including computer systems governing the entire event

Fans’ Information as a Target

The largest sporting events allocate more than one million tickets, judging from The New York Times coverage of a large sporting event in February 2018. Tickets for the World Cup in Russia this June have already exceeded 1.6 million, according to FIFA — underscoring the number of potential victims for cybercriminals, hacktivists and nation-state cyber actors.

Financially-motivated malicious actors are likely to see significant opportunity in targeting fans — particularly if they can exploit online ticket sales or transactions conducted in a nonsecure environment — while hacktivists and nation-state cyber actors are likely to seek access to information and websites that will be politically advantageous, either now or in the future.

Fans traveling internationally to attend high-profile sporting events are more likely to receive phishing attack messages — in fact, phishing-related spam increased by more than 40 percent during the World Cup in Germany in 2006, according to Comsec Group.

In these attacks, seemingly legitimate communications invite recipients to click on a link or file that will download and activate malicious software on their device. Cunning cyber actors are likely to exploit factors that can decrease vigilance to malicious messages, such as fans’ desires to congratulate and promote their teams or share their experiences on social media.

In addition to phishing attacks, fans can unknowingly expose themselves to malware by using nonsecure Wi-Fi, including open networks available in airports, hotels and restaurants. One such attack prompts users to update software on their mobile device, then installs malware onto the device instead. Nonsecure Wi-Fi can enable others to see any sensitive information sent over the network, including usernames and passwords, financial information and private documents.

Fans — and their family and friends back home — can also fall victim to the stranded traveler scam. In this attack, malicious actors hijack the email account of someone traveling overseas. With this privileged access, they can send targeted messages to friends and family members, claiming to be the traveler in desperate need of funds quickly.

Legislation and policies governing personal information and surveillance vary from country to country. Some national governments have cautioned their citizens, prior to past global sporting events, not to bring electronic devices or to clean their devices of any sensitive material and consider using a “burner” device to avoid surveillance from the host country.

For fans traveling to global sporting events, we recommend the following measures to enhance cybersecurity:

  • Be highly suspicious of messages containing links or attachments.
  • Avoid using public Wi-Fi. Use a private Wi-Fi network or virtual private network (VPN) that encrypts data to decrease some risk.
  • Warn family and friends against potential scams.
  • Be cautious of where and how you use a credit card for payment. If in doubt, use cash to avoid compromise of financial information.
  • Ensure any devices you bring have the latest operating system and applicable patches installed before you depart.
  • Consider bringing a “burner” phone in which you use a SIM card purchased at your destination with cash, and avoid bringing any additional electronics.
  • Avoid accessing social media or email.
  • Consider going “off the grid” while traveling, except for emergency communications.

Athletes Under Cyberattack

Athletes, sports clubs and sports agencies have become frequent victims of cyberattacks and information leaks over the past two years, as noted by The Telegraph. The upcoming World Cup would provide an ideal opportunity for cyber actors seeking to garner enhanced attention for their actions.

Hacktivists and nation-state backed actors seeking to tarnish the reputation of athletes, teams or their countries may find a worldwide sporting event an ideal setting in which to disclose derogatory information. Additionally, cybercriminals or malicious actors hired by an opposing team have an incentive to steal valuable information about game tactics or financial data to affect high-stakes games.

In the fall of 2016, a hacking group released confidential information about athletes acquired from databases on the World Anti-Doping Agency’s (WADA) networks, according to a public statement from WADA. The statement further explained that the attackers had used targeted phishing attacks against several WADA accounts, eventually gaining login credentials, allowing unauthorized access to the system. In April 2017, the International Association of Athletics Federations (IAAF) reported that the same group had hacked into its system, targeting information on athletes’ exemptions for drug use.

Athletes and those that support them also face potential threats from opposing teams, judging from past precedent. In 2015, personnel working for the St. Louis Cardinals, a U.S. baseball team, came under FBI investigation for allegedly hacking into sensitive networks belonging to a rival team, the Houston Astros, according to The New York Times.

Some teams are already implementing additional security measures to prepare for the World Cup this June. According to The Guardian, the Football Association will provide its own secure Wi-Fi for players and cautioned them about posting information that could reveal the team’s location, choice of players for the game or tactics.

Athletes and those that support them can follow similar practices to enhance cybersecurity during the games:

  • Employ a team chief information security officer (CISO).
  • Enhance awareness of potential attack vectors, including suspicious links or attachments in emails and prompts to update software systems.
  • Prohibit players from connecting to nonsecure Wi-Fi, and provide a separate, secure network for the team.
  • Harden any computer equipment the team may use by installing the latest versions of operating systems and patches, and disabling unused ports, unused accounts and file and printer sharing.
  • Limit players’, coaches’ and support personnel’s use of social media and email.
  • Consider asking players or support personnel to go “off the grid” immediately preceding and during major sporting events.

Venue Administration Vulnerabilities to Cyberattack Likely to Grow

As sporting event venues, scoring equipment and communication with journalists and fans become increasingly digitized, cyber risks related to event administration are likely to grow exponentially. Nation-state backed actors or hacktivists may seize the opportunity to compromise the integrity of networks controlling event venues, particularly when controversial political events dovetail with planned games. Cybercriminals and attackers hired by opposing teams may be motivated to fix a match by tampering with cameras used to assist referees, scoring systems or power grids supporting the games.

According to a report by the Center for Long-Term Cybersecurity at the University of California, Berkeley, the most common cyberthreats to sports venues currently include attacks against IT systems and ticket operations — but in the future may include devices that would affect the integrity of the game itself. Some concerning incidents at sporting events have already occurred, such as the cyberattack at the 2003 Pan American Games in the Dominican Republic that prevented scores from reaching journalists and fans, according to Security Affairs.

Industrial control systems, power grids and threats from Internet of Things (IoT) devices can further complicate cybersecurity for sporting event administrators, and an appropriate response is likely to involve close coordination with national cybersecurity units or even international organizations like Interpol. In March 2018, Interpol held a conference to discuss security at sporting venues, addressing topics such as IoT and appropriate risk management.

Distributed denial-of-service (DDoS) attacks are increasing in volume — particularly against IoT devices — doubling in a six-month time frame in mid-2017, according to a Corero report. IoT devices frequently lack appropriate security measures, such as updated firmware, firewalls or strong passwords during setup, with the potential to wreak havoc as a major sporting event is in full swing.

On May 23, 2018, Reuters reported how Ukraine raised alarms that a DDoS attack from malware on routers would interfere with the Union of European Football Associations (UEFA) Champions League soccer final in Ukraine later that week. Luckily, the warning appeared to inoculate the event from attack.

We recommend the following measures to sporting event administrators for enhancing cybersecurity:

  • Have a cybersecurity response team and a CISO.
  • Coordinate with national and international cybersecurity units to implement a collaborative approach.
  • Employ the services of cybersecurity vendors.
  • Be prepared for a large volume of attacks, and test response mechanisms to ensure they can handle the load.
  • Isolate systems from the internet (when possible).
  • Be wary of adopting new technologies for tasks central to the integrity of the game. Consider whether analog systems will be most appropriate for some functions.

From the high publicity surrounding global sporting events to the lucrative nature of exploiting expensive ticket transactions, malicious actors will have multiple reasons to target fans, athletes and venues at the World Cup this year. Potential victims can help decrease opportunities for attack by maintaining a higher level of vigilance, employing security best practices, such as updating software and patches, and being judicious about technology use, including opting out altogether when appropriate.

Interested in emerging security threats? Read the latest IBM X-Force Research

Share this Article:
Camille Singleton

X-Force IRIS Global Security Intelligence Analyst

With more than 12 years of experience as an analyst for the US Government and IBM, Camille brings expertise in cybersecurity policy, intelligence, public policy and Russian studies to bear in identifying solutions to complex technical security issues. As a member of IBM's X-Force IRIS intelligence services, Camille injects strategic insight into technical problem areas to solve our client's security challenges with forward-looking solutions.