Cyber games at the World Cup 2018

Woohoo! The World Cup is coming! That’s what I would say if I wasn’t a stereotypical American who knows almost nothing about football (soccer to us Americans). Or a stereotypical security geek who knows almost nothing about our own handegg sporting events. I’m not really interested in either form of football. However, I am interested in understanding an event that draws interest from around the Internet and what it means to the security of the event, the organizations supporting it, and all the properties that have nothing to do with the event, yet somehow draw an attacker’s ire anyway.

Looking back at the 2014 World Cup, we saw five attacks that showed strong indicators that the event was influencing attack traffic at a national level. The day of the Brazil vs. Croatia match, attack traffic originating from Croatia was nearly eight times higher, specifically targeting a Brazilian financial institution. Most of the traffic came in the form of SQL injection. Maybe the attackers were hoping the Security personnel would be more interested in watching the game than their computer screens and they’d slip through? 

The Spain vs. Netherlands game drove a different sort of attack, most likely by an unhappy fan. The target was actually the sports page of a Dutch newspaper, specifically the story covering the Dutch team’s win. If no one can read the news, did it actually happen? Sorry, but yes, it did.

But even geeks sometimes watch football. Both the Chile vs. Australia and Cote D’Iviore vs. Japan matches saw an initial down turn in general web traffic, followed by a wave of DDoS and application attacks, once it was clear who the winner would be. If you can’t distract the other team using a vuvuzela, I guess taking your enemy’s site off-line is the next best thing.

Enough about the past, what do we expect to see in the future? The location of the World Cup and any politics related to the region always influence attack traffic. There was evidence of politically motivated DDoS attacks during the event in Brazil, and there is little reason to believe this would be any different for an event in Russia. It’s very hard to track the actual source of these sort of attacks; we can tell where the traffic came from, but it’s nearly impossible to pinpoint where the attacker is without considerable effort.

Game time distractions online

We predict enthusiastic fans will attack the web sites of their opponents this World Cup too, especially as we get closer to the finals. There are numerous DDoS-for-hire sites available, which means that someone with little technical skill, but a fat bitcoin wallet can rent a volumetric DDoS attack for the duration of a game, if they want — with little trouble. Though they might want to be careful, as Europol and other law enforcement organizations have recently taken down the Webstressor service and are following up with some of its customers in person. 

The United States has long been the biggest target and generator of all types of attacks on the Internet, whether it’s DDoS or application attacks, but we don’t have a team in this year’s competition. Does this mean that attack traffic will be diverted from the U.S. to other targets related to the World Cup? Well, yes and no. It is likely that there will be subtle shifts to the threat landscape because of an increased focus on Russia, but it probably won’t be a significant portion of the overall traffic. To put it another way, the additional attack traffic headed toward the targets will be huge from their point of view, but when compared to the sum of the world’s traffic, it won’t be that noticeable.

Similar to the larger trends in DDoS, reflection attacks will continue to be the main tool of choice. DNS, NTP, CharGEN and SSDP are always the primary suspects, though there’s a slim possibility that a new attack vector could be released during the World Cup. The security response to the discovery of memcached as a reflector clamped down that vector quickly this past April, but a new vector could pose a significant threat to sites and video streams if it was used correctly. 

Hackers going for the goal

We saw evidence of web application attacks that appeared to be timed to coincide with specific games, but that could be more incidental than coordinated. There is anecdotal evidence of attackers who’ve used DDoS attacks to distract defenders from attacks against other systems in the past. As mentioned, during the Croatia vs. Brazil game there was an upturn in SQLi attacks, but it’s not quite conclusive evidence.

While it’s not exactly a DDoS or a traditional web application attack, one of the biggest threats we expect the average user will be aware of is the use of bots to buy event tickets. Bots being trained to buy tickets or products, like shoes, are a known problem at most events, so it’s almost certain that there are organized efforts to purchase tickets for scalping. There’s a constant dance between event organizers and criminals who want tickets for resale, something Akamai is interested in helping combat.

One final point regarding what to expect from the upcoming World Cup:  criminals love major sporting events. Akamai has soon-to-be-released research on account takeover attempts against hotel and travel sites, highlighting where these attacks are coming from. While it probably won’t surprise many people to see that many of the credential abuse attempts we see come from Russia, the sheer number of these attacks we see on a daily basis might. 

It’s almost certain that there will be attacks motivated by national pride. It’s equally certain, that bad guys will see a heavily attended (both physically and virtually) event like the World Cup as too attractive to ignore. If your organization is directly or indirectly associated with the World Cup, plan for an increase in attacks, even if there’s no logical reason you think you’d be a target. Sometimes, even having a name similar to another target or being in the same region as a hated opponent is enough reason for someone to send a DDoS your way.