With the 2019 NCAA tournament’s Final Four around the corner, researchers are urging viewers to be wary of a slew of March Madness-related phishing attacks, adware installers and other security threats.
While security concerns regarding popular sporting events – from the World Cup to the Super Bowl – is nothing new, researchers say that cybercriminals are becoming ever more trickier in avoiding detection.
Making matters worse, because many March Madness games have tipped off during work hours, viewers have been streaming them during office hours – opening businesses to all kinds of risks should they click on the wrong link.
“The NCAA tournament is a massive draw for users around the nation,” researchers with Zscaler said in a Friday analysis. “Taking a measured approach to how it is handled is critical for all businesses. The examples laid out should highlight the diversity of threats that attempt to exploit the excitement around the NCAA tournament.”
Adware
While a variety of legitimate sites – from ESPN to NCAA – offer streaming access during the tournament games, sometimes these sites are blocked by workplaces – causing a portion of viewers to click on alternative, sketchy sites that may contain adware or other types of malware.
“[Blocking] official streams sends users elsewhere to watch unofficial streams,” researchers Krishna Kona and Chris Mannon with Zscaler said. “These unofficial streams can lead to very real security incidents if left unchecked.”
In their recent analysis, Kona and Mannon looked at one such malicious streaming site that was laced with adware on almost every page.
This particular website (streamcartel[.]org) was registered one year ago during the NCAA tournament, and also uses other sporting events to further trick users into visiting the site, researchers said.
When the visitor clicks anywhere on the page of the website, or tries to open or close an ad, a new tab will open up.
Making matters worse, that browser contains a request (http[:]//www[.]adexchangecloud[.]com/jump/next[.]php?r=44011), which prompts the user to install a malicious fake browser plugin. That request purports to be a security warning ad/page from Microsoft Windows Firewall – but in reality, it’s an adware installer.
“The goal of this adware site or of any other is to make money by delivering unwanted ads to the user,” said researchers. “In addition to that, this site also has a PayPal donation link asking visitors to donate money.”
Phishing
Phishing is another popular and easy way for attackers to lure March Madness viewers into handing over their personal data or credentials.
“March Madness is well-known for pools created within the workplace, friends, family etc., where individuals compete with one another in predicting the most accurate NCAA basketball tournament bracket,” said Mike Banic, vice president of marketing at security firm Vectra. “The biggest security concern we foresee within these groups are phishing scams. Interest in March Madness is so broad that cyberattackers don’t even need to perform much social engineering to hook their phish.”
Researchers at SlashNext for instance told Threatpost that they have discovered dozens of tournament-themed phishing sites cropping up to lure in unsuspecting victims.
These phishing campaigns make use of tricky typo-squatted domains, which could trick users with terms closely associated with the NCAA tournament – for instance, Zscaler researchers said they have observed domains like marchmadnessresults[.]com, marchmadness[.]rocks, and watchmarchmadnesslive[.]com, all registered in the past two weeks.
“Within a week of the tournament starting we started catching the March Madness-themed phishing sites and shady ads,” Atif Mushtaq, CEO at SlashNext, told Threatpost. “New sites are cropping up daily, and our system alone has caught over 50 websites from just one of the prolific cyber-gangs. With the end game of committing credit-card fraud, the realistic-looking pages hope to attract victims getting caught up in the excitement and gambling that goes along with March Madness.”
Mushtaq told Threatpost that many of these sites are still live and clicking, and have yet to be blacklisted.
That’s because they appear to look legitimate or are being hosted on reputable but compromised sites, giving them the ability to bypass current security tools. The crooks also quickly move on to different sites to avoid being blocked, researchers said.
“March Madness, like other major sporting events, are prime opportunities for phishing scams, especially credential stealing and credit-card fraud,” Mushtaq said. “Browsers have become quite secure and are getting more so all the time. With improved software design and regular automated patching, zero-day browser exploits are getting rarer, but that doesn’t mean legitimate-looking phishing sites aren’t getting through to their intended targets.”
Avoiding Scams
Big sporting events like the World Cup and the Super Bowl have always drawn in cybercriminals hoping to cash in on the large viewership these events bring together.
Researchers said that when it comes to avoiding scams targeting March Madness viewers, enterprises should be proactive in training their employees to look out for suspicious-looking emails, links and websites.
“You should safely encourage ‘bracketology’ and fun office contests, but it’s more important than ever to have the right security tools in place, such as real-time anti-phishing defenses, and train users to exercise extreme caution when participating in these activities,” Mushtaq said.
“With the increased use of BYOD and dual-purpose devices, it’s important to avoid giving away login credentials or accidentally adding malicious browser extensions which can be used to breach corporate assets,” he added.
Other tips to avoid March Madness-related phishing scams include:
- Ignoring emails to join tournament bracket pools from sites that users didn’t explicitly request to join.
- Always go directly to the site where users are managing their tournament bracket – instead of clicking on a link from another webpage or in an email.
- Never give out more information than users need to participate in the pool.