With an average of 10.7
million viewers in 2022, March Madness is one of the most watched, and
anticipated, sporting events every year here in the US. What makes it most
interesting is that it's the only major sporting event in the US that
traditionally falls during our business day, and those who participate in viewing
and playing in their "office pools", are susceptible to a variety of security
threats, especially those dreading phishing lures. The same goes for those who
utilize online sportsbooks taking bets on the games.
As you know, cybercriminals will use any major event or
tragedy that has captured the attention of the general public as bait for
attacks. While folks are caught up in the excitement of the games and their
brackets, bad actors will be plotting to steal your credentials, lure you into
fake websites and deploy ransomware that could wreak havoc on you, or your
organization, long after the conclusion of this year's tournament. The
increased interest from users and the dramatic spike in emails, links and other
communications related to the event make it much easier for these actors to
blend in.
We all know that cybercriminals are out there right now trying to
bust your March Madness bracket! Read on as industry experts offer their thoughts and commentary on the matter.
---
Timothy Morris, Chief
Security Advisor at Tanium,
a Kirkland, Washington-based provider of converged endpoint management (XEM):
The NCAA tourney is prime time for attackers to play on
the passion and emotion of college basketball fans. Success rates of
phishing attempts are higher because we, as humans, tend to let our guard down
when we are consumed by a major event. After all, it's not
called, "March Madness" for nothing!
The sheer scope and duration of the tournament makes an
attractive hunting ground for multiple weeks. Not to mention
the brackets enjoyed by so many. It's estimated that more than 36
million adults will complete a bracket. And, who knows how many will join
office pools that can't be tracked? Each of which has potential for
fraud.
As such, cyber security teams can expect to see an increased
volume of phishing attempts, web site compromises, watering hole attacks,
business email compromise (BEC), malvertising, etc., geared towards enthusiasm
for March Madness. Scams will also target consumers for fake merchandise,
phony tickets, etc.
To counteract these efforts, it will be important for
companies to ensure their systems are patched, particularly applications that
are internet facing, and that multi-factor authentication is
utilized. Users should be trained to be on the lookout for these types of
attacks and make sure security controls are working and effective.
This includes the management of tools to secure endpoints and email/web
content. For major events, it is a good idea to block or closely review
new domains, or those that have unusually high traffic levels.
++
JT Keating, SVP of
Strategic Initiatives at Zimperium, a Dallas, Texas provider of mobile security solutions:
Let's face it. Even people who don't regularly watch college
basketball throughout the year may be keeping one eye on March Madness over the
next few weeks. It's a cultural phenomenon in the United States that brings
together people to participate in office pools, online gambling and more. While
the distractions and the substantial bandwidth strains associated with
following the annual NCAA Tournament can damage organizations, mobile security
threats have proven to be a more dangerous issue that organizations of all
sizes should be particularly wary about.
Mobile phishing attacks are on the rise. According to the
2022 Global Mobile Threat report, mobile-specific
phishing sites grew by 50% over a three year period. By 2021, 75% of
phishing sites were specifically targeting mobile users. What's more is that 66% of mobile
phones used at work are employee-owned, creating a challenging environment for
security teams to protect.
Unfortunately, many employees who look for alternative
sources to participate in March Madness may unwittingly turn to malicious
websites and apps on their smartphones and tablets. Phishing, malware, and other
attacks flourish during popular online events, such as March Madness, and
even one small mistake by an employee whose mobile device is connected to
corporate data could cause chaos throughout an entire organization.
It's easy for an unsuspecting victim using their mobile
device to click on an email link they think is from a trustworthy source asking
to set up their bracket, or watch the games, that an attacker could spoof. It's
even easier for an attacker to spoof one of these organizations and convince
someone to click on a link sent via SMS text message. Regardless of whether a
link is sent by email or text, users on mobile devices are hampered by smaller
screens and mobile-first interfaces that limit information visibility, reducing
the ability to identify common red flags or attacks.
Once someone clicks on a link, their phone - and all the
info and data stored, processed or transmitted by that phone - could be
compromised. Even on employee-owned devices, this usually includes a large
amount of corporate data and/or the ability to co-opt multi-factor
authentication (MFA) that can provide access to enterprise apps or networks.
Additionally, hackers could even use a device's camera or microphone to "bug"
corporate offices or access photos to blackmail an employee into divulging
sensitive information.
Today, mobile security and education in the enterprise is
more crucial than ever. In most cases, mobile devices represent a
significant, unaddressed attack surface for enterprises. No matter if they are
corporate-owned or part of a BYOD strategy, the need to implement proper
security controls and educate end-users about potential threats is critical.
Without defenses in place to stand up against these growing
threats - especially during events like the NCAA Tournament - enterprises and
their employees are left at risk. However, education is only part of the
solution. Attackers are becoming increasingly sophisticated and are always
developing new tactics and techniques to undermine employees that have
undergone some level of anti-phishing training. Technology is available today
that can help fill in the gaps, minimizing the risk and attack surface
presented by threat actors.
As technology evolves to address new business challenges and
needs, the modern mobile era has ushered in a new category of security to help
combat current threats. Organizations can and should continue to use Mobile
Device Management (MDM) - but only if they are tying it to a Mobile Threat
Defense (MTD) solution, which can detect and prevent mobile device, network,
phishing and malicious app attacks.
++
Mika Aalto, Co-Founder and
CEO at Hoxhunt, a
Helsinki-based provider of enterprise security awareness solutions:
March Madness gives cyber criminals excellent phishing
campaign material because millions of people will be watching games throughout
the work week and checking the results of their personal and company brackets
via email notifications from online platforms. This creates an environment of
heightened emotions and raised expectations for communications from strangers,
colleagues and friends, writing to work and personal email accounts.
One of the most common tactics used by cybercriminals during
March Madness is to send phishing attacks with enticing subject lines that
promise free tickets or exclusive offers related to the tournament. Such emails
are common for those of us who regularly participate in March Madness brackets
or fantasy sports, and it's easy for us to lower our guard against a March
Madness phish. But these phishing emails contain links or attachments that,
when clicked, infect your computer with malware or lead you to a credential
harvesting website.
Cybercriminals may also leverage social media and brand
familiarity to trick people. For example, criminals may create fake social
media profiles that claim to be from reputable sources, such as sports
broadcasters or tournament organizers who urge people to click on links or
provide personal information.
Be cautious of unsolicited emails or messages. If you get a
vague email reminding you to immediately fill in your bracket, take a moment to
verify the legitimacy of offers or links before clicking on them, and never
sharing sensitive information with unknown sources.
Be smart and stay safe during March Madness. Keep your
computer and software up-to-date with the latest security patches, protect your
accounts with strong and unique passwords, and enable multi-factor
authentication whenever possible.
++
Guillaume Ross, Deputy
CISO at JupiterOne, a Morrisville, North Carolina-based provider of
cyber asset management and governance solutions:
Events like March Madness are recurring reasons why people
venture out of their daily list of websites they are familiar with. Yes, there
might be more attacks, social engineering might be easier, however, if you
think you don't have systems configured in such a way that they can handle
this, then they are likely to be compromised during the rest of the year. It's
like unsafe Wi-Fi. If you believe your corporate laptops are not
usable securely on hotel Wi-Fi, they're probably not usable securely anywhere.
When educating employees on security, it's important to
explain why certain controls are useful, as well as how they can
leverage them in their own personal lives. We might enforce multi-factor
authentication (MFA) at work, but we should also suggest that people use
it on their own important accounts, when it's available at least. The same goes
with password managers, keeping browsers up-to-date, as well as on the dangers
of submitting information to unknown sources on the Internet.
If your browsers are not updated rapidly when new
vulnerabilities are discovered, it's likely that one of them could be
compromised during March Madness, the Olympics, the World Cup or during any
regular week.
For this reason, a company with a good understanding of
their social engineering attack surface, a well-configured spam filter,
employees that are used to reporting suspicious emails, and where a well-known,
trustworthy site to track brackets is chosen early on is probably not exposed
to significantly higher risk during March Madness.
For companies where all traffic goes through a corporate
VPN, I recommend making official streaming sites available out of the VPN
rather than blocking them, which will lead to people searching for illegal
streams that aren't blocked, which might bring more security risk.
++
Patrick Harr, CEO at SlashNext, a Pleasanton, Calif.-based anti phishing company:
Emotions run high during the March Madness tournament each
year, and hackers quickly take advantage of the predictability of fans falling
prey to malicious content that leads to data breaches.
With this popular sporting tournament, it's easy for hackers
to prey on the excitement. With money on the line for many employees participating
in office pools and brackets, hackers serve fake sporting-themed websites, free
streaming of games, private VPNs, contests, and browser extensions that claim
to keep track of scores and stats of the games.
The sophistication of these phishing threats is becoming
more difficult to detect, especially for users. With the tournament starting
next week, March Madness-themed phishing sites will pop up to steal
credentials for future corporate-based attacks or commit credit card fraud.
Organizations must educate their employees and, most
importantly, be proactive in securing BYOD. With the increased use of BYOD and
dual-purpose devices, it's important to avoid giving away login credentials or
accidentally adding malicious browser extensions which can be used to breach
corporate assets.
Protect your organization by encouraging users to exercise
extreme caution when participating in brackets and office contests. Most
importantly, have the right security tools, including real-time mobile and
browser security solutions.
++
Darren Guccione, CEO and
Co-Founder at Keeper Security, a Chicago-based provider of zero-trust and
zero-knowledge cybersecurity software:
March is an exciting time for diehard and casual college
basketball fans alike, but it's also an opportune time for cybercriminals. To
avoid falling victim to March Madness related scams, always be cautious of
unsolicited messages or offers, double-check the authenticity of any websites
or apps you may be using to watch, follow or bet on the games, and never
provide personal information or payment without verifying the legitimacy of the
transaction.
Phishing and online scams are two of the biggest cyber
threats for fans. Throughout the tournament, cybercriminals may send phishing
emails or text messages with malicious links or attachments disguised as
updates on games and brackets. Do not open attachments or click on links from
unknown sources. Scammers may also use social media to learn more about you or
request money. They may impersonate a friend or family member claiming to be in
urgent need of money to buy tickets or place bets on March Madness games, or
even impersonate the athletes themselves. Along with being wary of fake
tickets, fans should also be careful about fake bracket contests promising
large prizes to the winners. Once they collect your entry fee or personal
information, scammers will disappear and the winners never receive their
prizes.
When creating accounts to follow the games, create a bracket
or take part in the fun of the tournament any other way, it may be tempting to
reuse passwords. Make sure you have different, high-strength passwords for all
of your accounts. This way, if one account is breached, a cybercriminal does
not gain access to all your accounts. Passwords should be at least 12
characters with a mix of uppercase and lowercase letters, a variety of special
characters and a random assortment of numbers. Also, consider creating a
passphrase rather than using a single word. A password manager can make this
easier by generating and securely storing strong passwords for you, so that all
you have to do is remember one master password.
##