As the hype surrounding March Madness increases and more people partake in NCAA brackets, especially at office pools, consumers and employers should be prepared for the surge in cyber attacks resulting in more phishing attacks and financial scams.
Cyber criminals are prepped for the excitement and hype building around the NCAA basketball games by infecting emails with malware, creating fake betting websites and increasing phishing attacks.
“Security professionals at organizations of all sizes are preparing for a surge of potential March Madness related cyber attacks through the beginning of April,” said Dan Lohrmann, chief security officer at Security Mentor, a Pacific Grove, Calif.-based security awareness training provider.
The problem of the rise in cyber attacks is compounded because many office pools pop up during this time, increasing the odds of malware infecting emails and software programs in the workplace.
“Nearly every aspect of any employee’s involvement with March Madness could easily open up the employee, as well as the organization to a number of cyber risks,” Lohrmann said. “Cyber criminals are well aware of the popularity of March Madness.”
Types of Attacks
Hackers are already spearphishing emails to millions of college basketball fans and even non-basketball fans who just want to take part in the fun of office pools. Employees who are downloading unauthorized apps onto their smartphones or tablets could have malware imbedded in them that could infect devices owned by the company.
The rise in the use of bandwidth to watch or merely monitor the games could slow down the office’s operational systems almost like a denial of service attack, Lohrmann said.
“It can be beneficial to all involved to find the time to watch the games together on a television in the breakroom and have a team building party,” Lohrmann said. “We need to remind staff of the importance of being alert for online risks that come at us every March.”
Hackers have been participating in March Madness across many devices for several years, especially ones which promise information on score and bracket updates, said Mark Parker, senior product manager at iSheriff, a Redwood City, Calif.-based provider of enterprise cloud security solutions.
As more people use apps to provide information, the amount of advertising and malware also rises substantially, especially among the rogue March Madness ones, he said.
“Pillagers hang out near the watering holes that draw the prey, because it is easier than hunting the victim outright,” said Parker. “March Madness is one major event which provides that easy-to-access watering hole for online criminals.”
Even legitimate websites which are downloaded and ones which are spoofed are infected with malware. Hackers are increasingly targeting users on popular, well-known websites such as Yahoo, CBS Sports and ESPN with phishing attacks.
Malware can also infect software and devices when it masquerades as video players which allow the user to stream the games, said Parker.
A large influx of fake betting sites has been created in order to “grift the credit card information of unsuspecting users,” he said.
Even links posted in forums, comments and social media which promise information or streams are not immune from criminals since they direct the user to an infected site, Parker said. Consumers should be even more alert during March and avoid clicking on links within emails from March Madness sites and type the URLs into the browser instead of copying it.
“Most importantly, do not install any software from any March Madness related sites,” Parker said. “As with anything popular, criminals are drawn to any opportunity that’s easy to exploit. Just as thieves target frequently visited locations that provide a target rich environment, so do the online crooks behind malware.
Aside from the many hours of lost productivity as employees watch games feverishly for their brackets, being swept up in the playoffs means that cyber criminals are ready to take advantage of the situation, said Nathan Wenzler, executive director of security at Thycotic, a Washington D.C. based provider of privileged account management solutions.
While employees are rooting for their teams or competing in their favorite fantasy leagues with friends or co-workers, companies should increase their usage of web-filtering and content blocking products which can prevent access to known malicious sites, he said. Blocking access might be an unpopular move with employees who want to keep tabs on their chances of winning an online tournament, but managers can limit the odds that a malicious site or email is clicked on by an employee to none.
If an organization chooses not to go to that level, then stronger monitoring, anti-malware and anti-phishing programs should be in place to intercept and prevent any attempts by a cyber-criminal to lure an employee into clicking on a malicious link,” Wenzler said.
A phishing email includes common signs as misspellings in the text, email addresses that don’t match the name, email addresses that don’t look familiar or from a legitimate website, ones which ask consumers to log in or provide credentials or asks users to click on a link to view, download or visit another site, he said.
“You can protect your personal identity and financial information,” Wenzler said. “There will also be an increase of criminal activity by hackers attempting to take advantage of the hoopla. We should all treat every March Madness email like we would any other suspicious email.”