Going to the Olympics? Don’t let cybercriminals win the gold — from you
Everybody at the upcoming summer Olympic Games in Paris — one of the premier athletic events in the world — is going to be a competitor, like it or not.
Not on the fields, in the pools, or on the tracks, of course. That’s reserved for the elite athletes of the world, all of whom we usually view as good people, no matter what we think of their governments.
But that’s not the case with the other global competition. It’s going to be good people against bad people — organizers, staff, athletes, spectators, and the host city against cybercriminals. And the good guys can’t avoid competing and can’t afford to lose.
Willie Sutton famously said he robbed banks because “that’s where the money is.” Cybercriminals swarm the Olympics because that’s where they believe the vulnerabilities that lead to money, disruption, successful espionage, and more will be. And in too many cases, they will be right.
As they say in the cybersecurity world, the “attack surface” at the Olympics will be massive and varied. The event is expected to draw 13 million visitors to Paris. Dark Reading reported that the Paris 2024 Olympics organization will operate “more than 700 domains and 800 external web applications residing on more than 16 different cloud providers. Systems connected to the Games currently are located across nine different countries in the EU, Asia, and North America.”
And the number of attacks is expected to be in the billions. Again from Dark Reading, “During the 2021 Olympics in Tokyo, threat actors launched a staggering 450 million attacks at various Games-related targets. In comments to The New York Times earlier this month, Franz Regul, the individual responsible for cybersecurity at the Olympics, said his team expects to face between 8 and 12 times that number of attempts at this year’s Games.”
Indeed, it’s already begun. Bleeping Computer reported last week that “A large-scale fraud campaign with over 700 domain names is likely targeting Russian-speaking users looking to purchase tickets for the Summer Olympics in Paris.”
According to the story, “Researchers analyzing the campaign are calling it Ticket Heist and found that some of the domains were created in 2022 and the threat actor kept registering an average of 20 new ones every month.”
Attacks from everywhere
It won’t just be individual criminals or gangs doing the attacking either. It will be nation states. Mandiant, a cybersecurity firm that is now a subsidiary of Google, predicted in a post last month with “high confidence” that Russia is the most severe threat to the Olympics, in part because Russian athletes aren’t being allowed to compete under the flag of their home country. China, Iran, and North Korea pose a lesser risk, according to the post.
The targets are also varied. Besides efforts to steal sensitive data from the millions of attendees and participants, there are expected to be attacks aimed at disrupting critical infrastructure, sabotaging operations, taking out crucial security and surveillance systems, extorting money, and spreading propaganda and misinformation — even possibly coordinated terror and cyberattacks.
Boris Cipot, senior security engineer with the Synopsys Software Integrity Group, said the infrastructure risks are because “all systems are controlled by software-driven devices. So a disruption on the computer networks could mean a delay in the games, problems with attendees entering the stadiums, and streaming of the event to viewers at home.”
Also, the risks, both to infrastructure and individuals, keep increasing because cybercriminals keep getting more sophisticated. While it’s not directly related to the Olympics, an Associated Press (AP) report just this past week noted how successful cyber scammers are at tricking people, especially elders, into wiring money to a “family member” in trouble. “These people are very good at what they do, and they’re very good at deceiving people and prying money out of them,” Fairview Township, Ohio, police Sergeant Brandon told the AP.
Mandiant predicted that Olympics-related threats would include “cyber espionage, disruptive and destructive operations, financially motivated activity, hacktivism, and information operations.”
Everything is a target
Potential targets include “the Olympic committee, Paris infrastructure, Olympic-related entities, athletes, country teams, support staff, physical infrastructure linked to the games, payment and ticketing systems, high-profile individuals traveling, and tourists.” And specific attack types could include “website defacements, distributed denial-of-service attacks, deployment of wiper malware, and operational technology targeting.”
As Cipot put it, during the Olympics “attackers will try to get the gold medal, which for them is personal and financial data. Breaching this data not only harms the individuals who are impacted, but it also harms the organizers, as by GDPR law such a breach can mean financial loss for them as well due to costly fines.”
So the threat is real, pervasive, and malignant. The news is not all bad, however. One piece of good news is that those running the Paris Olympics are very much aware of the threats and are better prepared to prevent or at least mitigate them. According to Mandiant, “The security community is better prepared for the cyberthreats facing the Paris Olympics than it has been for previous Games, thanks to the insights gained from past events.”
Politico reported that there will be 22,000 private security agents and 45,000 military and police forces protecting the Games, and that organizers have drastically reduced the size of the opening ceremonies due to fears of lethal drone attacks.
On the cyber front, France’s primary cybersecurity agency, ANSSI, began preparations for the event two years ago, which included extensive penetration tests and raising awareness “on a massive scale.”
Vincent Strubel, director of ANSSI, told Politico that “the goal for us is not to block 100% of the attacks that will happen during the Olympics. The goal is to block most of the attacks by raising the security level.”
Win with security hygiene
One major key to blocking attacks is the security of the Olympic Games app, which is expected to be downloaded by millions of people worldwide. That and other apps will be collecting personally identifiable information (PII) on users, which is the data gold attackers are seeking.
Adam Brown, managing security consultant with the Synopsys Software Integrity Group, notes that when users load the Olympics app, “it immediately asks for Bluetooth access, meaning it will interact with Bluetooth devices around it, be that for media interactivity or simply location tracking. Personally, I wouldn’t be happy to allow that unless I was sure that serious assessments of the robustness of the app had been performed and any vulnerabilities remediated.”
But he said he was encouraged that the app “does use well-known and well-established third-party authentication services including Google, Apple, and Facebook, rather than running its own authentication services. That’s good to see because robust authentication limits attackers’ ability to hack their way in to get your data.”
For organizations, security basics for protecting PII in any app should include classifying it to provide the most protection to the most sensitive data (financial, Social Security, etc.), and to use rigorous encryption for the data, both at rest and in transit.
Among Mandiant’s recommendations are for organizations to improve their security against ransomware attacks by “protecting infrastructure, identities, and endpoints.”
“Cascading weaknesses across these layers create opportunities for attackers to breach an organization’s perimeter, gain initial access, and maintain a persistent foothold within the compromised network,” according to the company.
For attendees, the good news is that they don’t need to be helpless victims of attacks. While nothing will make you bulletproof in cyberspace, it is possible to become a much more difficult target. And most cybercriminals are looking for easier targets.
The Paris 2024 Olympics website has good advice in how to do that, including
- Create strong passwords and use a different password for every app you use. Strong passwords should be at least 10 characters long and include lower and uppercase letters, numbers, and special characters. If you think you can’t remember passwords, create passphrases, using the first letter of each word of the phrase to create a password, but also adding a mix of numbers and special characters.
- Use a password manager, which means you will only need one strong password to access all your accounts.
- Don’t share or leave passwords exposed, such as on sticky notes or in shared devices or web-based email accounts.
- Use multifactor authentication whenever it is available.
- Don’t get fooled by social engineering attacks — unsolicited emails, text messages, or phone calls asking (or demanding) that you provide personal or financial information, open an attachment, or click a link. Among the best practices are to check the address or phone of the sender, check the message content (scams are usually about a tempting offer, urgent requirement, or imminent threat), check the destination URL of a link, and never open attachments.
- Know how to identify a legitimate web address. Make sure it includes https and/or a padlock at the beginning. Also know the order of the domain and subdomain. As an example, https://tickets.paris2024.org/test is legitimate, while https://paris2024.tickets.org/test is not.
To that list, Mandiant recommends “use burner devices, VPNs, user education, post-travel investigation and analysis; disable unnecessary device features; and reduce data access.”
Beyond those practices, Brown said that while in Paris, “spectators should be wary of connecting to wireless networks. These are trivial to set up and can be used for malicious purposes against anyone who connects to them, not least data theft from any services in use on their devices.”
Finally, another authentication measure is for families and friends to create a password or passphrase they all know and can use to challenge the authenticity of a caller claiming to be a family member in need of help. If a “granddaughter” begging for money doesn’t know that word or phrase, it’s a scam.
Yes, the Olympics are supposed to be fun and exciting, and it’s less fun and more inconvenient to do all this stuff. But think about it — do you really want to save a minute by ignoring basic security measures in exchange for a parade of horribles that could easily include the theft of your identity, an empty bank account, and credit card fraud? Talk about ruining your vacation.
That’s the kind of excitement you don’t want. So take your time. Don’t do anything in a rush. Think before you click. Don’t believe communications — calls, emails, texts — from anyone you don’t know.
You’ll have much more fun and avoid a lot of stress.
