Cybercriminals Preying on March Madness 2023 Frenzy, Distraction
One slip-up on an employee's personal device could trigger a corporate data breach.
![Basketball Basketball](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt01ee2dd888912909/652403917d47cacf80a27ebd/College-Basketball.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Many employees who look for alternative sources to participate in March Madness might unwittingly turn to malicious websites and apps on their smartphones and tablets, said Zimperium‘s JT Keating.
“Phishing, malware and other attacks flourish during popular online events, such as the NCAA tournament, and even one small mistake by an employee whose mobile device is connected to corporate data could cause chaos throughout an entire organization,” he said. “Without defenses in place to stand up against today’s growing mobile threats – especially during events like March Madness – enterprises and their employees are left at risk. However, education is only part of the solution. Attackers are becoming increasingly sophisticated and are always developing new tactics and techniques to undermine employees that have undergone some level of anti-phishing training. Technology is available today that can help fill in the gaps, minimizing the risk and attack surface presented by threat actors.”
Darren Guccione is Keeper Security‘s CEO and co-founder.
“To avoid falling victim to March Madness-related scams, always be cautious of unsolicited messages or offers, double-check the authenticity of any websites or apps you may be using to watch, follow or bet on the games, and never provide personal information or payment without verifying the legitimacy of the transaction,” he said. “Phishing and online scams are two of the largest cyber threats for fans. Throughout the NCAA tournament, cybercriminals may send phishing emails or text messages with malicious links or attachments disguised as updates on games and brackets. Do not open attachments or click on links from unknown sources. Scammers may also use social media to learn more about you or request money. They may impersonate a friend or family member claiming to be in urgent need of money to buy tickets or place bets on March Madness games, or even impersonate the athletes themselves. Along with being wary of fake tickets, fans should also be careful about fake bracket contests promising large prizes to the winners. Once they collect your entry fee or personal information, scammers will disappear and the winners never receive their prizes.”
When creating accounts to follow the games, create a bracket or take part in the tournament any other way, it may be tempting to reuse passwords, Guccione said.
“Make sure you have different, high-strength passwords for all of your accounts,” he said. “This way, if one account is breached, a cybercriminal does not gain access to all your accounts.”
Timothy Morris is Tanium‘s chief security advisor. He said the NCAA tournament is prime time for attackers to play on the passion and emotion of college basketball fans. Success rates of phishing attempts are higher because “we, as humans, tend to let our guard down when we are consumed by a major event. After all, it’s not called March Madness for nothing.”
“The sheer scope and duration of March Madness makes an attractive hunting ground for multiple weeks,” he said. “Not to mention the brackets enjoyed by so many. It’s estimated that more than 36 million adults will complete a bracket. And, who knows how many will join office pools that can’t be tracked, each of which has potential for fraud. As such, cybersecurity teams can expect to see an increased volume of phishing attempts, website compromises, watering hole attacks, business email compromise (BEC), malvertising, etc., geared towards enthusiasm for March Madness. Scams will also target consumers for fake merchandise, phony tickets, etc.”
To offset these efforts, it will be important for companies to ensure their systems are patched, particularly apps that are internet facing, and that multifactor authentication (MFA) is utilized, Morris said. Users should be trained to be on the lookout for these types of attacks and make sure security controls are working and effective. This includes the management of tools to secure endpoints and email/web content.
“For major events, it is a good idea to block or closely review new domains, or those that have unusually high traffic levels,” he said.
Mika Aalto is Hoxhunt‘s co-founder and CEO. He said one of the most common tactics used by cybercriminals during March Madness is to send phishing attacks with enticing subject lines that promise free tickets or exclusive offers related to the tournament. Such emails are common for those who regularly participate in March Madness brackets or fantasy sports.
“If you receive a vague email reminding you to immediately fill in your bracket, take a moment to validate the legitimacy of offers or links before clicking on them, and never share sensitive information with unknown sources,” he said. “Be smart and stay safe during March Madness.”
Patrick Harr is SlashNext‘s CEO. He said hackers quickly take advantage of the predictability of fans falling prey to malicious content that leads to data breaches.
“With this popular sporting tournament, it’s easy for hackers to prey on the excitement,” he said. “With money on the line for many employees participating in office pools and brackets, hackers serve fake sporting-themed websites, free streaming of games, private VPNs, contests and browser extensions that claim to keep track of scores and stats of the games. The sophistication of these phishing threats is becoming more difficult to detect, especially for users.”
With the tournament now underway, March Madness-themed phishing sites will pop up to steal credentials for future corporate-based attacks or credit card fraud, Harr said.
“With the increased use of BYOD and dual-purpose devices, it’s important to avoid giving away login credentials or accidentally adding malicious browser extensions, which can be used to breach corporate assets,” he said.
Guillaume Ross is deputy CISO at JupiterOne.
“When educating employees on security, it’s important to explain why certain controls are useful, as well as how they can leverage them in their own personal lives,” he said. “We might enforce MFA at work, but we should also suggest that people use it on their own important accounts, when it’s available at least. The same goes with password managers, keeping browsers up to date, as well as on the dangers of submitting information to unknown sources on the Internet.”
If browsers are not updated rapidly when new vulnerabilities are discovered, it’s likely that one of them could be compromised during March Madness, the Olympics, the World Cup or during any regular week, Ross said.
“For this reason, a company with a good understanding of their social engineering attack surface, a well-configured spam filter, employees that are used to reporting suspicious emails, and where a well-known, trustworthy site to track brackets is chosen early on is probably not exposed to significantly higher risk during March Madness,” he said. “For companies where all traffic goes through a corporate VPN, I recommend making official streaming sites available out of the VPN rather than blocking them, which will lead to people searching for illegal streams that aren’t blocked, which might bring more security risk.”
Guillaume Ross is deputy CISO at JupiterOne.
“When educating employees on security, it’s important to explain why certain controls are useful, as well as how they can leverage them in their own personal lives,” he said. “We might enforce MFA at work, but we should also suggest that people use it on their own important accounts, when it’s available at least. The same goes with password managers, keeping browsers up to date, as well as on the dangers of submitting information to unknown sources on the Internet.”
If browsers are not updated rapidly when new vulnerabilities are discovered, it’s likely that one of them could be compromised during March Madness, the Olympics, the World Cup or during any regular week, Ross said.
“For this reason, a company with a good understanding of their social engineering attack surface, a well-configured spam filter, employees that are used to reporting suspicious emails, and where a well-known, trustworthy site to track brackets is chosen early on is probably not exposed to significantly higher risk during March Madness,” he said. “For companies where all traffic goes through a corporate VPN, I recommend making official streaming sites available out of the VPN rather than blocking them, which will lead to people searching for illegal streams that aren’t blocked, which might bring more security risk.”
March Madness 2023, which kicked off Thursday, provides the perfect opportunity for cybercriminals to take advantage of distracted fans both during and after work.
March Madness is one of the most watched and anticipated sporting events every year in the United States. Games averaged 10.7 million viewers in 2022.
It’s also the only major sporting event in the United States that traditionally falls during business hours. And those who participate in viewing and playing in their office pools are susceptible to a variety of security threats, especially phishing lures. The same goes for those who utilize online sportsbooks taking bets on the games.
Cybersecurity experts say March Madness fans should keep up their guard throughout the event.
JT Keating is senior vice president of strategic initiatives at Zimperium.
Zimperium’s JT Keating
“March Madness is a cultural phenomenon here in the United States that brings together people to participate in office pools, online gambling and more,” he said. “While the distractions and the substantial bandwidth strains associated with following the annual NCAA tournament can damage organizations, mobile security threats have proven to be a more dangerous issue that organizations of all sizes should be particularly wary about.”
Mobile phishing attacks are on the rise. According to the 2022 Global Mobile Threat report, mobile-specific phishing sites grew by 50% over a three-year period. By 2021, three-quarters (75%) of phishing sites were specifically targeting mobile users. Moreover, two-thirds (66%) of mobile phones used at work are employee-owned, creating a challenging environment for security teams to protect.
Scroll through our slideshow above for more March Madness 2023-associated cyber threats.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like