The outcome of this year’s Super Bowl matchup between the Kansas City Chiefs and the San Francisco 49ers on Feb. 11 at Allegiant Stadium in Las Vegas will likely remain unknown until the final down of the game. But one thing that is already abundantly clear is that attackers will have no shortage of targets to hit during the event.
The continued digitalization of the NFL almost all aspects of the event, from the ticket office to gate access systems and virtually every other point of contact with fans, opened up new vulnerabilities and targets that its security team had to protect. Concerns include threats to arena security, ransomware attacks on critical systems, phishing and credential theft, and threats to personal data and other sensitive information belonging to fans, NFL employees, players and coaches.
Getting ready for the big (security) game.
In conversation with Dark Reading at the start of the 2023/2024 season, NFL CISO Tomás Maldonado had identified AI-based phishing attacks and deepfake audio and video scams adding to the slew of other existing security challenges the league has had to deal with overall.
The NFL itself has long been preparing to identify and assess threats to the Super Bowl – arguably the most-watched television event each year – and implement plans to address them. Last September, league officials in coordination with 100 other stakeholders, including the US Department of Homeland Security and the Cybersecurity and Infrastructure Agency (CISA), conducted at tabletop exercise where they examined a series of attack scenarios that together had a cascading impact on the physical systems supporting the event.
That exercise was part of an ongoing effort between the NFL and other participants to prepare for any security challenges that might emerge during the game. Stakeholders added that preparedness will be particularly important considering the growing geopolitical tensions related to events in the Middle East.
The security implications of the digitalisation of sporting events
Karl Mattson, field CISO at Noname Security, believes that API-related security issues are likely a top priority for attackers this year, given the situation in the NFL. extensive digital transformation that has occurred in recent years.
“API threats surrounding the Super Bowl affect three areas: digital fan experience, advertising, and event infrastructure,” Mattson says.
The most likely scenario, should an API-related attack occur, is a large-scale compromise of stolen NFL fans’ personal information, which could include authentication or biometric information, he notes. The digital fan experience of purchasing tickets, shopping for merchandise, betting online and other interactions all uses API-enabled services. “Every aspect of a fan’s consumption of the NFL product involves the exchange of personal or payment information that can be exploited by an attacker who discovers a poorly controlled API,” she says.
The same goes for advertisers who air commercials during the event and create a new website or service to garner consumer response. Without first battle-testing them for a wave of visitors or DDoS attacks, the effort can fail. Mattson references Coinbase’s memorable 2022 Super Bowl ad that only included a bouncing QR code, which directed viewers to a promotional website the company created for the ad. The website crashed shortly after the advert aired due to the sheer volume of visitors.
Specific physical event and public infrastructure to support the Super Bowl are also enabled by API-first technologies. The stadium’s 5G network, local security and emergency services, and utility systems all use API-based services for routine operations that attackers could potentially try to disrupt, Mattson says.
Online gambling: fertile ground for new scams
The rise of online gambling and sports betting opens up a new grid for cyber attackers. The phenomenon has created fertile ground for new and evolving scams targeting events like the Super Bowl, says Stuart Wells, CTO at Jumio.
“A myriad of betting apps and websites are readily available at our fingertips, attracting a wider audience, including younger demographics more accustomed to digital interactions,” says Wells. This accessibility, unfortunately, coincides with a rise in synthetic identity fraud, in which criminals create fake identities using a fake name and snippets of stolen identity information, such as a real date of birth and Social Security numbers.
“Synthetic identity fraud, in particular, can be tricky for gaming operators because it makes it extremely difficult to track malicious actors,” notes Wells. “If an attacker manages to bypass defenses and operate under a synthetic identity, they may be able to operate undetected, meaning operators may not catch a fraudster until a player’s account has been manipulated or some type of fraud has not been committed.”
Compounding the situation is the relative lack of privacy protections in many of the betting apps that people use to bet on events like the Super Bowl. A new study from privacy firm Incogni looked at seven of the most popular betting apps; most of them widely collect and share private data without adequate disclosure.
The biggest data guzzler was DraftKings, which Incogni said collected 22 data points from users, including their precise location, contacts, messages, photos and videos. Betting apps from Caesars, Sky Bet and William Hill were relatively close, collecting 17 data points each, including precise location, in-app search history, health information and purchase history. Meanwhile, Caesars has led the way in sharing data collected from users’ devices with third parties.
Super Bowl fans should also expect a surge in fake tickets and counterfeit merchandise in online marketplaces, tempting fans with jerseys, hats and memorabilia that look real but are cheaply made and lack official logos, Well says.
“All of these scams are likely to reach consumers via phishing emails and SMS. Consumers should proceed with caution and verify who they are doing business with before providing any personal or payment information,” he warns.
Business risk from unauthorized streaming sites
Ken Carnesi, CEO of DNSFilter, points to rogue streaming sites as a risk for organizations that allow employees to use unmanaged devices for work purposes. Data the company has collected from its network over the past month has shown a sharp increase in blocked sites with “NFL” in the domain name, he says.
“Traffic on our network increased during the playoffs, peaking on January 28, the same day as the AFC and NFC championship game,” Carnesi says. “Overall, from January 5th to the peak on January 28th, there was a 125% increase in traffic blocked by security.”
Risks for organizations that allow personal use of work devices without oversight include an increased likelihood of malware infections and phishing attacks.
“Additionally, these streaming activities can create network vulnerabilities, with insecure channels and peer-to-peer connections putting the integrity of the organization’s data at risk,” Carnesi says. “Data exfiltration is also a greater possibility, potentially exposing sensitive business information from illicit sites that collect and misuse user data.”