March Madness signals opening of phishing season

March 20, 2019
Cyber criminals look to prey on the popularity of the annual college hoops tournament with an array of phishing schemes

Okay, color me guilty. I spent my lunch hour yesterday at my work computer selecting my bracket picks for this year’s NCAA men’s basketball tournament just like millions of other employees around the country. That’s right, its March Madness time again. Every spring as the pollen flows and the bookies glow, hack attacks increase as cybercriminals look to prey on the popularity of the annual college hoops tournament with an array of phishing schemes and other ploys ripe with malware.

Why are the warnings of tournament hoop hack-attacks almost as ubiquitous as the next NCAA basketball coaches’ scandal? Simple, because as much as the average Joe or Jane professes confidence in spotting a phishing attack, they usually can’t. Cybersecurity experts continue to target NCAA tourney time as Defcon 1 for many companies as the attacks continue to occur.

“Phishing emails are one of the highest-risk intrusion methods to date. They are easy to craft, easy to deploy; they are aimed at our broadest, weakest attack surface: The endpoint, and its user. They are designed to make us afraid that if we don’t click on that link or open that attachment something bad will happen. Cybercriminals have been extremely successful at both designing the lure and monetizing their success, despite their re-use of techniques and themes such as threatening our Netflix accounts or suggesting something may be amiss with our credit or identity,” warns Colin Little, Senior Threat Analyst for Centripetal Networks, a threat-intelligence solutions provider based in Herndon, Virginia.

Mike Banic, Vice President of Marketing at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers, puts the risk into proper perspective: “Don’t let the bracket frenzy allow you to be phished during March Madness.”

Banic says that the March Madness craze, which is well-known for pools created within the workplace, friends, family etc., where individuals compete with one another in predicting the most accurate NCAA basketball tournament bracket, the biggest security concern within these groups are phishing scams. The fact is interest in March Madness is so broad that cyber attackers don’t even need to perform much social engineering to hook their phish.

“Typically, an organizer will send out links from a sports-centric website to the interested participants to allow them to join a group. This creates a situation where the participant may be unaware of the authenticity or safety of the website for the link sent by the organizer, making their personal data vulnerable to cross-site scripting attacks, hidden redirects and website forgery. Participants should be cautious of shortened URLs which can redirect them to a malicious website that may look to steal their personal information,” Banic says. “As a measure of precaution, participants should ensure that they trust the organizer sharing the link, verify the link they are about to click and pay attention to the certificate validation done by most browsers that tend to warn the user when unauthorized or unsafe websites are being accessed.”

While the March Madness warning signs against phishing attacks are posted in every corporate breakroom, each year the cyber onslaught rolls on like a barrage of baseline jump shots. Why? They work. Most organizations fail to do the basics in educating their employees and if they do provide the occasional in-house seminar, the follow-up reinforcement is lacking.

According to Verizon’s 2018 Data Breach Investigations Report, people are still falling for phishing campaigns. The reports say the good news is that 78 percent of people don’t click on a single phishing campaign all year. But, on average, four percent of the targets in any given phishing campaign will click it. And incredibly, the more phishing emails someone has clicked, the more likely they are to do so again.

“With popular sporting events like March Madness, it’s easy for attackers to prey on human emotions with excitement running high and money on the line. With so many employees participating in office pools and brackets, it’s critical to avoid getting phished through fake sporting-themed websites, contests and offers around the games or malicious browser extensions that claim to keep track of scores and stats,” says Atif Mushtaq, CEO at SlashNext, a Pleasanton, Calif.-based provider of third-generation internet security solutions. “There are thousands of new phishing sites popping up each day, and they avoid detection by appearing legitimate or by being hosted on reputable but compromised sites, bypassing current security tools, and then quickly moving on to different sites to avoid being blocked. You should safely encourage ‘bracketology’ and fun office contests, but it’s more important than ever to have the right security tools in place, such as real-time anti-phishing defenses, and train users to exercise extreme caution when participating in these activities. With the increased use of BYOD and dual-purpose devices, it’s important to avoid giving away login credentials or accidentally adding malicious browser extensions which can be used to breach corporate assets.”

Perhaps the scariest wildcard in this year’s March Madness risk equation is that hackers are armed with more of your personal data than ever before, thanks to the huge number of data breaches that have taken place in the last few years, admits Nathan Wenzler, Senior Director of Cybersecurity at Moss Adams, a Seattle, Wash.-based accounting, consulting and wealth management firm.

“Another year brings another March Madness. With it comes another chance for cybercriminals to steal your identity or financial information. Like we’ve seen around this time every year the number of scams and malicious emails are on the rise, taking advantage of the interest around fantasy leagues, tournament brackets and other contests,” says Wenzler, warning that with the increased amount of information, cybercriminals are personalizing the malicious emails and fake websites to seem more real and legitimate than ever before, making it that much harder for people to determine when they’re interacting with something that’s a fraud.

Although Wenzler can’t offer bracket advice, he does offer a few tips to help ensure organizations and individuals will not fall prey to a damaging breach via a phishing attack. He suggests:

  • Ignore emails to join tournament bracket pools from sites or groups that you didn’t explicitly request to join. Fake emails can look very much like the real thing, so, if you didn’t sign up for it on the legitimate site or ask to be contacted, don’t take any chances by clicking on links or opening attachments in these messages.
  • Always go directly to the site you’re managing your tournament bracket, rather than clicking on a link from another webpage or in an email. It’s less convenient, but typing in the site into your browser reduces the chance that you’ll be rerouted to a fake website or worse, that malware gets loaded on your system.
  • Never give out more information than you need to participate in the pool. If a site starts asking for very personal information or financial details like your social security number, bank or credit card account numbers, PINs or personal verification questions and answers, there’s a good chance it’s trying to scam you out of that information.
  • If you’re not completely sure about a website or an email, speak up! Every legitimate company out there has a support team that can tell you if the email you’ve received is from them or not. Some even have automated systems where you can forward the message to them and they’ll validate it for you on the fly. If it seems in any way like it might be a scam, don’t hesitate to reach out and check with the company or group involved.

About the Author:

Steve Lasky is the editorial director of Security Media Group that includes 3 of the security industry’s top print magazines and number one web site. He is a 32-year veteran of the security/risk industry. He can be reached at [email protected].