“Click-for-tickets” fraud: Teaching users to sidestep Olympic scams

Attackers are expected to use the Games to foster email and Internet fraud. Learn how to help users sidestep Olympics-related scams.

As the Olympic torch wends its way around Britain, interest in the Games is growing rapidly. “Olympic tickets” is already a popular search term on Google, as more and more people want to experience this incredible event and not miss out on a once-in-a-lifetime opportunity.

Scam artists and cybercriminals don’t want to miss out on the Olympics, either. They are looking to make money out of the gullible sports fan, either by infecting the fan’s computer or stealing valuable information such as passwords and account details.

All posts in social media relating to the Games, especially eye-catching messages about special offers and exclusive deals, should be regarded with suspicion in order to avoid infection.

Internet searches for Olympics tickets or information about the Olympics will be leveraged by criminals with a social engineering ploy to infect unsuspecting users with malicious code. This tip will explore the steps IT staff can take to help protect users from Olympic scams.

Olympics phishing attacks
The most common social engineering technique for infecting a user’s PC is a phishing campaign; infected email and email attachments are still successful methods of gaining an illegal presence on a machine. Some phishing emails related to the Olympics will be obviously fake, discernable by poor English, spelling mistakes, a strange-looking URL to click, or an offer that’s far too good to be true, such as winning a lottery the user never entered. Any decent email gateway filter should trap these messages before they reach users, and hopefully the organisation’s security awareness training will ensure any that do sneak through are left unopened and reported to the security team by the employees.

However, malware analysts are seeing evidence of some cybercriminals using digital marketing techniques like A/B testing to identify the most effective types of email, such as the phishing hooks that get the highest open rates and most click-throughs, or the Facebook posts that generate the most “likes” and the most victims. Thus, the amount of spam and junk mail has declined as a percentage of total email. Savvy attackers are moving away from mass-quantity emailings and are instead targeting users with carefully crafted emails containing malware and malicious Web links.

Marketing strategies used by attackers
If you've ever been involved in marketing and public relations (PR), you will recognise some of the strategies that are now standard operating procedure for phishing campaigns, starting with the "editorial calendar." The editorial calendar, if you will, is a map of the year's events, holidays and anniversaries, around which marketing campaigns can be built. The annual appearance of Valentine's Day scams is just one example, and clearly the Olympics and the Queen’s Diamond Jubilee are this year’s two huge UK events for cybercriminals. Attackers know public interest in these events will be high just before and during their occurrences, and they time the launch of their campaigns accordingly so victims are less likely to identify their messages as malicious.

Another strategy from the marketing and PR playbook is to exploit the latest news stories, creating scams like “Whitney Houston autopsy video” and “Steve Jobs commemorative iPads.” The Olympic Games will produce lots of headline news, which will lead to a rash of scams based on the latest triumphs and heart-breaking defeats. With tools like Crimepack and SpyEye, attackers can react to such events within minutes, pushing out new campaigns to trick gullible and under-trained users into handing over the virtual keys to their accounts, their devices, and quite possibly their organisation’s network.

Many of these campaigns are well-funded and developed by highly skilled marketers who are far more computer-savvy than average computer users or even many experienced ones.

Stopping Olympics-related attacks
Preventing Olympics-related attacks requires constant vigilance by employees with regard to opening email or following links – particularly shortened links. The main defence is awareness training that covers how a phishing attack works and how and why certain employees may be targeted. Simple safeguards such as checking that someone has actually sent an email with an attachment (for example, by calling the sender on the phone) are invaluable. Yes, they make electronic communication a little less instantaneous, but they make it a lot safer.

More on social engineering

Elements of effective anti-social engineering training

The value of social engineering testing in user education

In particular, employees should be wary of messages that direct them to webpages using shortened hyperlinks. There will be many heated debates about the various Olympic events and competitors on Facebook, Twitter and other social networks. But all posts in social media relating to the Games, especially eye-catching messages about special offers and exclusive deals, should be regarded with suspicion in order to avoid infection and forestall potential threats.

While URL-shorting services are reputable, they can be abused by hackers to mask the final destination of a link. In fact, these types of links have become a fundamental component of the attacker’s toolkit. Make sure employees know how to reveal the true destination of a shortened URL.

When searching for information about the Olympics, users must be cautious with search engine results. Attackers will use search engine optimization (SEO) techniques to cause their malicious websites to rank at or near the top of search results pages when Olympics-related keywords are searched. Sometimes poisoned SEO results lead to sites that simply waste users’ time with survey scams while executing click-jacking to defraud advertisers. More harmful landing pages will contain client-side attacks to further the propagation of malware, such as banking Trojans. Remind users that nobody is going to give away a free ticket to the 100 meter finals in return for their opinion about Man United vs. Man City.

Finally, it is important to keep intrusion detection systems (IDS) and email gateway filters up to date to spot phishing campaigns and known malicious patterns of system and network behaviour. This will reduce the number of Olympics-related attacks that reach users.

Unfortunately, people who deal with technology a lot often think security is purely a technological issue, solved by deploying more and more security devices. However, the most important part of information security is to minimise human error, particularly errors caused through ignorance. It's important to keep all users informed of the latest techniques being used by online criminals.

About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry and another 16 years of experience in finance. He is the founder and managing director of Cobweb Applications Ltd., a consultancy that helps companies to secure their networks and websites, and also helps them achieve ISO 27001 certification. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Michael is also a Microsoft Certified Database Administrator and a Microsoft Certified Professional.

Read more on Security policy and user awareness

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.