2018's FIFA World Cup in Russia: Cybersecurity Concerns

The 2018 FIFA Soccer World Cup is being held in Russia June 14 - July 15, and many cybersecurity experts are warning soccer (or football, if you’re from outside the U.S.) fans that there is a significant risk of social engineering and other attacks aimed at them.

For example, experts cited by The Hill noted that “U.S. travelers should be extra cautious about what devices they bring, which servers they connect to and the types of data they access while in Moscow.”

Why do American fans traveling to the FIFA World Cup need to be so cautious? What are the risks involved with such a major sporting event—both for attendees and for businesses?

Here are a few of the reasons why cybersecurity experts are so worried about the potential for data compromise:

Russia is Known for Cybersecurity Concerns

In the Hill article, Robert Anderson, a former national security executive with the Federal Bureau of Investigation (FBI) and current member of the Chertoff Group, highlighted concerns about the cybercrime situation in Russia, stating that “When it comes to Russia, Russia by far — more than any country in the world — is probably some of the most well-versed cyber crime, both from the organized crime side and their intelligence networks, in the world.”

For U.S. visitors to Russia at any time of year, there is always a significant risk that their personal devices might be compromised if they join any public Wi-Fi networks.

As former top cyber official for the National Security Council, Megan Stifel says in the Hill article, “I would never use public Wi-Fi over there. Ever. Period.” One careless connection could easily result in the connecting device being contaminated with malware—a sentiment that Larry Pfeiffer, former chief of staff to one-time Central Intelligence Agency (CIA) Director Michael Hayden, mirrored when he stated that “I would tell people, don’t take any electronic device that you care about because odds are it is going to get hacked, you’re going to have malware put on it, your private information gets taken by somebody.”

Targeted Phishing Attacks Focused On FIFA Fans

The World Cup represents a major opportunity for scammers from all corners of the globe. For the next few weeks, there will be countless soccer enthusiasts from around the globe who are looking for news coverage of the game, trying to book passage to the venue, and even looking to score memorabilia from the event.

As Larry Pfeiffer said to The Hill, “I think it is an incredibly rich environment for anyone wanting to conduct cyber mischief… You are going to have a lot of very happy, very drunk, very distracted people whose cyber hygiene will probably be less than optimal.”

These “very drunk, very distracted” people attending the event or following the games on TV or radio could become prime targets for focused phishing attack campaigns carried out by malicious actors.

For example, thieves could pose as travel agencies sending out emails and reminders to FIFA fans who have booked flights and accommodations for the event (or were planning to). In these attacks, thieves could convince unguarded sports fans to divulge sensitive information, such as:

  • Credit card data,
  • User account information from their actual travel agency membership, or
  • Personally identifiable information (PII), such as their Social Security Number.

Using this information, hackers targeting FIFA fans could commit large-scale fraud.

Sports Fans May Prioritize the Event Over Security

It’s not unusual for sports fans to be engrossed in their favorite sporting events to the point that they put off actual work. In fact, most fans typically try to request time off for big game days so they can either attend in person or watch the broadcast from the comfort of their homes or favorite bar.

However, one SC Media post highlights just how much of an impact that an employee’s fandom could have on their ability to respond to cybersecurity issues—especially when that employee is in charge of cybersecurity:

“odds are several security professionals will be looking to sneak a peak [sic] at the games, which could be bad for the security of your business. LastLine researchers surveyed 326 professionals and found 30 percent of them suggested they would wait until after a crucial match to fix an urgent corporate security issue.”

This should terrify businesses. Because, when it comes to responding to and containing cybersecurity threats, timing is key. The longer it takes for your cybersecurity team to identify and contain a breach, the more damage an attacker can do because it gives them more time to “breakout” of whatever system they initially compromised and into other systems that might contain more sensitive data.

A delayed response to an alert could make the difference between stopping an attack in its tracks and a major data breach.

However, one silver lining mentioned in the SC Media article is that “83 percent [of surveyed professionals] don't believe that the FIFA World Cup poses a risk to their organization.” After all, most of these professionals are on robust cybersecurity teams, and not everyone is going to be distracted at the same time. Instead, 72% of these professionals believe that the biggest risk may be “a cyberattack against the event in the form of a DDoS attack, social media channel hack, email correspondence or mobile threats” that correspond to the event.

Avoiding Cybersecurity Risks During the World Cup

So, what can avid FIFA fans do to increase their cybersecurity while still enjoying the event? A few basic tips include:

  • Being Wary of Phishing Scams. Fans of FIFA who receive unsolicited emails from organizations claiming to represent the FIFA event or accommodation providers/travel agencies working with the event’s organizers should probably treat such emails with the same level of skepticism that they would treat an email from a random Nigerian prince who just needs their banking info—especially if they’re offering deals that sound too good to be true. That is to say, don’t believe any such emails; avoid clicking on any links or downloading any attached files without doing some serious vetting.

  • Leave Your Devices with Sensitive Info at Home. Given the sheer scope of the cybercrime industry in Russia indicated by the expert opinions from The Hill’s article, it may be better to leave your work devices and personal devices with sensitive data at home if you’re traveling to the FIFA World Cup. Instead, use a disposable device (such as a “burner” phone) while there—and, don’t connect to any sensitive accounts on public networks while there.

  • Avoid Unofficial FIFA Websites. Many attackers have set up fake FIFA websites to lure in unsuspecting victims. These sites may claim to be affiliated with the World Cup organizers, or to even be official FIFA companies offering accommodations, flights and “official” hospitality at stadiums. However, what these fake websites are designed to do is to trick visitors into clicking on download links for malware programs that the people running the website can then use to compromise their victims’ computers, smartphones, or other devices.

  • Practice Good Data Hygiene. If you must access a work account or other sensitive information for any reason, practice good data hygiene: Use a virtual private network (VPN), strong multifactor authentication (MFA) to secure your account, and make sure that whatever device you use has antimalware programs and other protections in place. Even then, assume your account may be compromised and take steps to secure or lock it down so others cannot use it.

It’s our hope here at Compuquip Cybersecurity that you can relax and enjoy the 2018 FIFA World Cup, but we also know that cybercriminals love to exploit these kinds of events for their own gain. With some effort, you can protect your most sensitive information while enjoying the World Cup.

If you need any help or advice about how to strengthen your cybersecurity posture, please contact the experts at Compuquip today! We’re always eager to help you protect your business from cybersecurity threats. For more information about cybersecurity, you can find our Cybersecurity Basics guide at the link below: