Cyber criminals aren't just targeting gamers, they're also targeting the gaming industry and those that support it at high volumes for profit.
It’s been 17 years since Xbox Live was first released. While it was not the first online gaming network, it did become a cornerstone of things to come. Fast forward almost two decades, and we find ourselves completely immersed in a culture of online multiplayer games and digital content.
For example, this year, Dota 2 The International, the annual Dota 2 World Championship, was viewed online by close to a million people around the world, while thousands attended the matches in person at Mercedes-Benz Arena in Shanghai Chain. The 9th annual Dota 2 championship hosted 18 teams this year and featured over $34 million in cash prizes!
Young adults with corporate sponsorships winning millions of dollars in cash prizes at eSporting event is just the tip of the iceberg for the industry. A recent report estimated that the video game market will become a $300 billion industry in the next five years.
With these kinds of projections and valuations, it’s fair to say that the threat towards gamers and those that support gaming networks will grow in lockstep with the market size.
At the moment, there are many risks currently facing the gaming industry, but three seem to be fairly common: Account Takeovers, Malicious Virtual Goods, and traditional DDoS attacks on both user platforms and corporate servers.
- ATO – Also known as Account Takeover, this attack is a type of identity theft where a criminal gains unauthorized access to an account for online fraud. Typically, this attack is carried out with a vector known as credential stuffing.
- Virtual Malicious Goods – More commonly known as a Trojan, virtual malicious goods are lures like in-game cheats, services, or items designed to conceal a malicious payload. Once executed by the user, their system becomes infected with malware.
- DDoS Attacks – A Distributed Denial-of-Service attack occurs when multiple infected devices flood a targeted system to make it or network resources unavailable. Typically, attackers will target gaming networks or the users themselves.
Users Bear the Brunt
While companies deploy advanced defense solutions to protect their gaming infrastructure, cyber criminals seek their own level. Cyber criminals don’t have to find a way to bypass your security solutions to cause a problem; they just need to find a new level to operate on. Unfortunately, this typically means targeting the user who is less likely to have an advanced security solution in place.
Recently, Mortal Kombat 11 Developers had to address a series of DDoS attacks plaguing users in their ranked online game mode. Mortal Kombat 11 features a ranked online competitive leader board where top players compete and are ranked globally. As a result, users looking to cheat the system launched DDoS attacks against their opponents — not the gaming infrastructure — to disconnect them from the match up. Once the opponent was disconnected, the attacker would gain ranking points for the forfeiture and effectively cheat their way to the top rank of ‘Elder God.’
In one case, a streamer was threatened by an attacker who was able to discover his home address. Unfortunately, in this case, the victim was sent links that were designed to capture his IP address. In the image below, you can see an example of the domains used. One domain is a URL hijack of what appears to be a YouTube link, but instead of a traditional ‘u’ in the URL, the logging service uses an ‘ü’ in an attempt to trick their victims.
This month, Security Firm Cyren also released a report detailing how cyber criminals are now leveraging open-source ransomware variants to target Fortnite users who are looking to cheat the game by downloading malicious goods such as aimbots.
Given the recent popularity of Fortnite, it’s no surprise that cyber criminals have begun using its reputation as a lure to target unsuspecting users. In this specific case, once a user has downloaded and ran the Fortnite aimbot, a malicious payload is deployed on the victims PC. This payload is a ransomware variant of Hidden Cry with a .Syrk extension.
Users are becoming heavily targeted in the gaming industry as companies around the world work to harden their system. While corporations work on securing their infrastructure from new and evolved attack vectors, we need to take the time to help educate not only gamers but users in general. Awareness, training, and education can go a long way.
How to Protect Yourself
One of the first things a gamer can do to secure their privacy and game play is to practice proper password hygiene. I know, it sucks. Especially for console players without a keyboard but this is the low hanging fruit cyber criminals target. To prevent online identity fraud from ATO bots, use unique and secure passwords for all accounts. This way, if an account is compromised, criminals will not be able to access other accounts that use the same password.
Second, if a service offers multi-factor authentication, use it! Considering the amount of money that’s on the table for eSports and in-game items, treat your account like you would a bitcoin wallet.
Last, but most definitely not least, be aware of phishing as well as cyber-bullying in game. You do not have to engage with toxic users. Do not click on their links or respond to them, no matter how tempting it may be. If you are being pressured, threatened or intimidated in game Report, Block and Disconnect. Most of the time, these criminals are looking for streamers that they can get a live reaction out of. If you do not provide them with their desired response, they will move on to someone who will.
Download Radware’s “Hackers Almanac” to learn more.
In June, I traveled to Israel to attend BsidesTLV and Cyber Week. Both of these events included incredible presentations, workshops, and networking opportunities. They also provided many unique opportunities to discuss research, privacy, and policy on many different levels with industry leaders and government officials from around the world.
Some of my preferred events during Cyber Week included Exploring The Grey Zone of Cyber Defense, Cyber Attacks Against Nations, and Academic Perspective’s on Cybersecurity Challenges.
One of the expert lectures during the Academic Perspective’s event struck a chord with me. The speech was titled, ‘Normalization as an Approach to Norms,’ and was presented by Prof. Martin Libicki, Professor at the U.S. Naval Academy.
At a high level, the talk was about the use of normalization as an approach to determining what cyber behaviors, carried out by governments, could be considered social norms in the cyber domain and who gets to set this gold standard. (If you would like to watch it for yourself, it can be found here on YouTube).
The part that resonated with me is when Prof. Libicki started talking about who might set the gold standard and what is considered normal cyber behaviors from different countries. For example, North Korea is known for robbing banks, and Russia is known for election interference and targeting the energy sector. Are these activities we want to accept as normal behavior? Of course not.
What about China’s behaviors that include launching DDoS attacks on dissidents? Are we, the security industry, the gold standard, comfortable with allowing others to use denial of service attacks as a way to silence others?
This lecture was focused on nation-state attacks and real cyber warfare, but it left me connecting dots and wondering, hasn’t the security industry already accepted denial of service attacks as normalized behavior?
Are Denial of Service Attacks a Social Norm?
In my opinion, yes, denial of service attacks and assisting the behaviors are now accepted and expected on all levels. But why has this happened? Why have denial of service attacks become tolerated? The sad truth is we, the security and tech industry, allowed this to happen by accepting specific actions within the community and not speaking up about others.
One of the main reasons why denial of service attacks became a social norm is because of their popularity, and the attention paid to them earlier in the decade among hacktivist and gamers. With this came the availability for anyone to freely access source codes, tools, and resources need to conduct an attack of their own.
In general, no one prevents the availability of the source code and tools from being publicly accessible. In fact, criminals AND researchers do their fair share in propagating these tools and scripts used to launch denial of service attacks by hosting them on code repository sites.
Another reason why denial of service attacks became a social norm is that legitimate companies like hosting providers and social media outlets allowed the activity for one reason or another. For example, social media platforms enable criminals to not only post operational details but also to advertise their malicious services publicly. At the same time, the hosting providers turn a blind eye for profit and allow criminals to host and mask their infrastructure with their services.
Also, at this point, you could almost say manufactures and some ISPs are co-conspirators. Manufacturers are building and shipping vulnerable IoT devices with no intention of patching or providing software updates for known exploits thus contributing to the number of possible devices that could be leveraged by a botherder for a denial of service attack. You also have ISPs that know they are significant offenders and the main source of the malicious traffic, yet do very little to mitigate the activity, let alone respond to abuse reports.
So, are we comfortable allowing others to use denial of service attacks as a way to silence people? From my perspective, it seems like we do a lot to support the activity.
Acceptance is a Slippery Slope
To be clear, in no way am I saying that a denial of service attack is nothing to worry about now that they have become a norm. But I believe most of us have grown to accept denial of service attacks, specifically temporary network outages, as a regular occurrence or have written it off as the cost of doing business in the digital era, which has led to this path of acceptance and normalization.
At any rate, if China’s use of denial of service attacks against foreign platforms used by Chinese dissidents is acceptable, or something we allow to happen without any action, then the average denial of service attack against your corporate network is considered normal behavior as well.
Under this current environment of acceptance, it becomes harder to look at the average botherder and say their behavior is not normal or acceptable, while simultaneously taking a passive approach on nation-states that use the same attack vector.
If we want to reduce the number of denial of service attacks by non-government actors, then we have to lead by example as the gold standard. We have to make sure people know that nation-states use of denial of service attack is unacceptable. We also have to do more to prevent malicious actors from gaining access to the tools used to launch these attacks.
Hosting attack services and code should not be acceptable behavior from the security community.
How Much More Will We Tolerate?
This is a question I don’t have an answer for. At the moment, we tolerate a lot. At this rate, almost every teenager, at some point, will be involved in or know someone who is engaged in launching a DDoS attack. And while some will write it off as child’s play to just knock their friend offline, we all know they likely got the code from one of our public repositories or used different services that some of us manage to mask their origin.
Remember, we as the security industry set the golden standard, and when we tolerate specific behavior for long enough, it becomes socially acceptable.
Traditionally, DDoS is an avenue of profit for botherders. But today’s botnets have evolved to include several attack vectors other than DDoS that are more profitable. And just as any business-oriented person would do, attackers follow the money.
As a result, botherders are targeting enterprise and network software, since residential devices have become over saturated. The days of simple credentials-based attacks are long behind us. Attackers are now looking for enterprise devices that will help expand their offerings and assists in developing additional avenues of profit.
A few years ago, when IoT botnets became all the rage, they were mainly targeting residential devices with simple credential attacks (something the DDoS industry does not prevent from happening; instead we take the position of mitigating attacks coming from infected residential devices).
From Personal to Enterprise
But now that attackers are targeting enterprise devices, the industry must reevaluate the growing threat behind today’s botnets.
We now have to focus on not only protecting the network from external attacks but also the devices and servers found in a typical enterprise network from being infected by botnet malware and leveraged to launch attacks.
In a blog posted on MIT’s Technology Review titled, Inside the business model for botnets, C.G.J. Putman and colleagues from the University of Twente in the Netherlands detail the economics of a botnet. The article sheds some light on the absence of DDoS attacks and the growth of other vectors of attack generated from a botnet.
In their report, the team states that DDoS attacks from a botnet with 30,000 infected devices could generate around $26,000 a month. While that might seem like a lot, it’s actually a drop in the bucket compared to other attack vectors that can be produced from a botnet.
For example, C.G.J. Putman and Associates reported that a spamming botnet with 10,000 infected devices can generate $300,000 a month. The most profitable? Click fraud, which can generate over $20 million per month in profit.
To put that in perspective, AppleJ4ck and P1st from Lizard Squad made close to $600,000 over 2 years’ operating a stresser service called vDoS.
So let me ask this: If you are a botherder risking your freedom for profit, are you going to construct a botnet strictly for DDoS attacks or will you construct a botnet with more architecturally diverse devices to support additional vectors of profit?
Exactly. Botherders will continue to maximize their efforts and profitability by targeting enterprise devices.
Read the “IoT Attack Handbook – A Field Guide to Understanding IoT Attacks from the Mirai Botnet and its Modern Variants” to learn more.
Raids and take-downs have become standard on the Darknet as agents across the world continue to step up enforcement. While these take-downs are generally digital perp walks meant to remind the public that agents are doing their job, we have to ask, are they actually solving the problem?
Moreover, does the Darknet, specifically Tor, really matter in the grand scheme of things? No. Darknet marketplaces only provide a layer of protection. In fact, most of the items you find listed on any given Darknet marketplace can also find on normal Clearnet markets and forums. In reality, Darknet take-downs are only temporarily impacting, but do not prevent overall illicit activity.
For example, when you look at the sale of stolen data online you will find several major vendors that have sold databases throughout a variety of darknet marketplaces over the years. But databases containing PII and credentials are also sold on well-known Clearnet sites like Exploit, which is indexed by major search engines and has not been taken down to this day.
When you look at attack services such as DDoS-as-a-Service, you will find that it was never a major player in Darknet marketplace, but during the rise of Mirai, a few vendors were found offering attack services with the newly publicized botnet. While vendors never fully adopted the use of hidden service, a few vendors sell overpriced DDoS services on Darknet marketplaces today. This is because most of the bot herders own and operate stresser services on Clearnet websites.
While Operation Power Off, a series of take-downs targeting the DDoS-as-a-Service industry, has been a major success in limiting the number of DDoS attacks, the powerful and customizable source code for IoT botnets like Mirai is still highly available. Because of this, the DDoS-as-a-Service market has become so over saturated that you can find entry-level vendors selling botnet spots with low bot counts on Instagram.
More users with source code, more problems, no matter how many stresser services are taken down.
A Growing Criminal Landscape
In all, the digital marketplace, both on the clear and darknet, have allowed the criminal landscape to grow beyond street dealers with limited options and includes several new ways to make profit while not actually touching the products or services offered.
At the beginning of May, DeepDotWeb, a Clearnet site that listed current Darknet marketplaces and covered news related to the Darknet was raided and seized by law enforcement for referral linking. Most recently, news just broke that BestMixer, a multi-million-dollar cryptocurrency tumbler used to launder cryptocurrency was also raided.
As the tactics and techniques change, new avenues of profit will always open up.
At this point, it’s clear the landscape has changed dramatically over the last decade, and law enforcement is targeting the new ecosystem—but with limited success, in my opinion. Like low-level hackers, law enforcement is going for the low hanging fruit, and while it provides for great headlines and temporary impacts, it doesn’t truly solve anything and only creates more problems down range.
I’ll leave you with an article titled, Libertas Market is Available Via I2P.
The use of hidden services (Tor) is only the beginning of the digital underground marketplace. Admin and vendors will continue to seek different methods to avoid law enforcement as long as demands and profits are high.
In other words, don’t fall into a false sense of security; the Darknet isn’t going anywhere anytime soon.
Download “Hackers Almanac” to learn more.
Often, I find that only a handful of organizations have a complete understanding of where they stand in today’s threat landscape. That’s a problem. If your organization does not have the ability to identify its assets, threats, and vulnerabilities accurately, you’re going to have a bad time.
A lack of visibility prevents both IT and security administrators from accurately determining their actual exposure and limits their ability to address their most significant risk on premise. However, moving computing workloads to a publicly hosted cloud service exposes organizations to new risk by losing direct physical control over their workloads and relinquishing many aspects of security through the shared responsibility model.
Cloud-y With a Chance of Risk
Don’t get me wrong; cloud environments make it very easy for companies to quickly scale by allowing them to spin up new resources for their user base instantly. While this helps organizations decrease their overall time to market and streamline business process, it also makes it very difficult to track user permission and manage resources.
As many companies have discovered over the years, migrating workloads to a cloud-native solution present new challenges when it comes to risk and threats in a native cloud environment.
Traditionally, computing workloads resided within the organization’s data centers, where they were protected against insider threats. Application protection was focused primarily on perimeter protections via mechanisms such as firewalls, intrusion prevention/detection systems (IPS/IDS), web application firewall (WAF) and distributed denial-of-service (DDoS) protection, secure web gateways (SWGs), etc.
However, moving workloads to the cloud has presented new risks for organizations. Typically, public clouds provide only basic protections and are mainly focused on securing their overall computing environments, leaving individual and organizations workloads vulnerable. Because of this, deployed cloud environment are at risk of not only account compromises and data breaches, but also resource exploitation due to misconfigurations, lack of visibility or user error.
The typical attack profile includes:
- Spear phishing employees
- Compromised credentials
- Misconfigurations and excessive permissions
- Privilege escalation
- Data exfiltration
The complexity and growing risk of cloud environments are placing more responsibility for writing and testing secure apps on developers as well. While most are not cloud-oriented security experts, there are many things we can do to help them and contribute to a better security posture.
Recent examples of attacks include:
- A Tesla developer uploaded code to GitHub which contained plain-text AWS API keys. As a result, hackers were able to compromise Tesla’s AWS account and use Tesla’s resource for crypto-mining.
- js published an npm code package in their code release containing access keys to their S3 storage buckets.
The good news is that most of these attacks can be prevented by addressing software vulnerabilities, finding misconfigurations and deploying identity access management through a workload protection service.
With this in mind, your cloud workload protection solution should:
- Detect publicly exposed assets
- Identify excessive and unused permissions
- Have harder security configurations
- Secure APIs
- Uncover data theft attempts
- Automate cloud security functions
There are many blind spots involved in today’s large-scale cloud environments. The right cloud workload protection reduces the attack surface, detects data theft activity and provides comprehensive protection in a cloud-native solution.
As the trend around cybercriminals targeting operational technologies continues, it’s critical to reduce organizational risk by rigorously enforcing protection policies, detecting malicious activity and improving response capabilities while providing insurance to the developers.
Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.
Where does the attack landscape lead us into 2020? No one knows for sure, but strong indicators help Radware build logic chains to better forecast where the state of network security is heading in the future. Last year alone, the initial attributable cost of cyberattacks increased by 52% and 93% of those surveyed in our 2018-2019 Global Application and Network Security report experienced a cyberattack over the previous 12 months.
Let’s face it, today you stand a better chance of mitigating an attack if you understand your risks and the threats you may suffer due to your exposure. Once you begin to understand your enemies’ tactics, techniques, and procedures (TTPs), you can then begin to understand your enemies’ intentions and ability to disrupt your network. This is a good thing. Once you understand the basics, you can then begin to forecast attacks, allowing operators time to prepare to identify and mitigate malicious activity.
Preparing for the next generation of cyber attacks has become the new norm and requires organizations to stay ahead of the threat landscape. Radware’s Hackers Almanac is designed to help do exactly that by generating awareness about current TTPs used by cyber criminals. In the Hackers Almanac, we cover two main topics: Groups and Tools.
Clear and Present Dangers
In the Groups section, we cover APTs, Organized Crime, Extortionist, DDoS’ers, Political and Patriotic Hackers, as well as Malicious insiders. In the Tools section, we cover Ransomware variants, exploit kits, Trojans and Botnets, as well as consumer tools and other persistent threats that can be expected on an annual basis.
While these threats constitute a clear and present danger to most if not all networks, knowledge is power and the first step to securing your network starts with surveying and auditing. Ensure that your system is up to date and adequately patched. The second step is getting in front of the problem by studying cyber criminals, the way they operate and how they launch their attacks. By understanding your network and its limitations and how hackers launch attacks, your organization can better prepare for attack vectors commonly leveraged by different threats targeting your network
There is no need to fight every battle at the end of the day when you can learn from those around you. Before securing your network, make sure to conduct an audit of your organization’s system and understand its vulnerabilities/weaknesses. Then, leverage this almanac to study the threats posed against your organization.
Download “Hackers Almanac” to learn more.
Let’s play a game. Below are clues describing a specific type of cyberattack; can you guess what it is?
- This cyberattack is an automated bot-based attack
- It uses automation tools such as cURL and PhantomJS
- It leverages breached usernames and passwords
- Its primary goal is to hijack accounts to access sensitive data, but denial of service is another consequence
- The financial services industry has been the primary target
Struggling? We understand, it’s tricky! Here are two more clues:
- Hackers will often route login requests through proxy servers to avoid blacklisting their IP addresses
- It is a subset of Brute Force attacks, but different from credential cracking
And the Answer Is….
Credential stuffing! If you didn’t guess correctly, don’t worry. You certainly aren’t alone. At this year’s RSA Conference, Radware invited attendees to participate in a #HackerChallenge. Participants were given clues and asked to diagnose threats. While most were able to surmise two other cyber threats, credential stuffing stumped the majority.
Understandably so. For one, events are happening at a breakneck pace. In the last few months alone, there have been several high-profile attacks leveraging different password attacks, from credential stuffing to credential spraying. It’s entirely possible that people are conflating the terms and thus the attack vectors. Likewise, they may also confuse credential stuffing with credential cracking.
Stuffing vs. Cracking vs. Spraying
As we’ve previously written, credential stuffing is a subset of brute force attacks but is different from credential cracking. Credential stuffing campaigns do not involve the process of brute forcing password combinations. Rather, they leverage leaked username and passwords in an automated fashion against numerous websites to take over users’ accounts due to credential reuse.
Conversely, credential cracking attacks are an automated web attack wherein criminals attempt to crack users’ passwords or PIN numbers by processing through all possible combines of characters in sequence. These attacks are only possible when applications do not have a lockout policy for failed login attempts. Software for this attack will attempt to crack the user’s password by mutating or brute forcing values until the attacker is successfully authenticated.
As for credential (or password) spraying, this technique involves using a limited set of company-specific passwords in attempted logins for known usernames. When conducting these types of attacks, advanced cybercriminals will typically scan your infrastructure for external facing apps and network services such as webmail, SSO and VPN gateways. Usually, these interfaces have strict timeout features. Actors will use password spraying vs. brute force attacks to avoid being timed out and possibly alerting admins.
So What Can You Do?
In addition to these steps, network operators should apply two-factor authentication where eligible and monitor dump credentials for potential leaks or threats.
Read “Radware’s 2018 Web Application Security Report” to learn more.
In our industry, the term bot applies to software applications designed to perform an automated task at a high rate of speed. Typically, I use bots at Radware to aggregate data for intelligence feeds or to automate a repetitive task. I also spend a vast majority of time researching and tracking emerging bots that were designed and deployed in the wild with bad intentions.
As I’ve previously discussed, there are generally two different types of bots, good and bad. Some of the good bots include Search Bots, Crawlers and Feed Fetchers that are designed to locate and index your website appropriately so it can become visible online. Without the aid of these bots, most small and medium-sized businesses wouldn’t be able to establish an authority online and attract visitors to their site.
On the dark side, criminals use the same technology to create bots for illicit and profitable activates such as scraping content from one website and selling it to another. These malicious bots can also be leveraged to take over accounts and generate fake reviews as well as commit Ad Fraud and stress your web applications. Malicious bots have even been used to create fake social media accounts and influence elections.
With close to half of all internet traffic today being non-human, bad bots represent a significant risk for businesses, regardless of industry or channel.
As the saying goes, this is why we can’t have nice things.
If a malicious bot targets an online business, it will be impacted in one way or another when it comes to website performance, sales conversions, competitive advantages, analytics or users experience. The good news is organizations can take actions against bot activity in real-time, but first, they need to understand their own risk before considering a solution.
- E-Commerce – The e-commerce industry faces bot attacks that include account takeovers, scraping, inventory exhaustion, scalping, carding, skewed analytics, application DoS, Ad fraud, and account creation.
- Media – Digital publishers are vulnerable to automated attacks such as Ad fraud, scraping, skewed analytics, and form spam.
- Travel – The travel industries mainly deal with scraping attacks but can suffer from inventory exhaustion, carding and application DoS as well.
- Social Networks – Social platforms deal with automated bots attacks such as account takeovers, account creation, and application DoS.
- Ad Networks – Bots that create Sophisticated Invalid Traffic (SIVT) target ad networks for Ad fraud activity such as fraudulent clicks and impression performance.
- Financial Institutions – Banking, financial and insurance industries are all high-value target for bots that leverage account takeovers, application DoS or content scraping.
Types of Application Attacks
It’s becoming increasingly difficult for conventional security solutions to track and report on sophisticated bots that are continuously changing their behavior, obfuscating their identity and utilizing different attack vectors for various industries. Once you begin to understand the risk posed by malicious automated bot you can then start to focus on the attack vectors you may face as a result of activity.
- Account takeover – Account takeovers include credential stuffing, password spraying, and brute force attacks that are used to gain unauthorized access to a targeted account. Credential stuffing and password spraying are two popular techniques used today. Once hackers gain access to an account, they can begin additional stages of infection, data exfiltration or fraud.
- Scraping – Scraping is the process of extracting data or information from a website and publishing it elsewhere. Content price and inventory scraping is also used to gain a competitive advantage. These scrape bots crawl your web pages for specific information about your products. Typically, scrapers steal the entire content from websites or mobile applications and publish it to gain traffic.
- Inventory exhaustion – Inventory exhaustion is when a bot is used to add hundreds of items to a cart and later, abandon them to prevent real shoppers from buying the products.
- Inventory scalping – Hackers deploy retail bots to gain an advantage to buy goods and tickets during a flash sale, and then resell them later at a much higher price.
- Carding – Carders deploy bots on checkout pages to validate stolen-card-details, and to crack gift cards.
- Skewed analytics – Automated invalid traffic directed at your e-commerce portal can skews metrics and misleads decision making when applied to advertisement budgets and other business decisions. Bots pollute metrics, disrupt funnel analysis, and inhibit KPI tracking.
- Application DoS – Application DoS attacks slow down e-commerce portals by exhausting web servers resources, 3rd party APIs, inventory database and other critical resources to the point that they are unavailable for legitimate users.
- Ad fraud – Bad bots are used to generate Invalid traffic designed to create false impressions and generate illegitimate clicks on websites and mobile apps.
- Account creation – Bots are used to create fake accounts on a massive scale for content spamming, SEO and skewing analytics.
Symptoms of a Bot Attack
- A high number of failed login attempts
- Increased chargebacks and transaction disputes
- Consecutive login attempts with different credentials from the same HTTP client
- Unusual request activity for selected application content and data
- Unexpected changes in website performance and metrics
- A sudden increase in account creation rate
- Elevated traffic for certain limited-availability goods or services
Intelligence is the Solution
Finding a solution that arms partners and service providers with the latest information related to potential attacks are critical. In my opinion, a Bot Intelligence Feed is one of the best ways to gain insight into the threats you face while identifying malicious bots in real-time.
A Bot Intelligence Feed will provide you with information about the latest data on newly detected IPs for various bot categories like data center bots, bad user-agent, advanced persistent bots, backlink checker, monitoring bots, aggregators, social network bots, spam bots, as well as 3rd party fraud intelligence directories and services used to keep track of externally flagged IPs, ultimately giving organizations the best chance to proactively block security holes and take actions against emerging threat vectors.
Read “Radware’s 2018 Web Application Security Report” to learn more.
Over the last few years I have traveled around the world, researching and watching stadiums digitally evolve from the structures I once knew as a kid. I grew up watching the San Diego Chargers play in what was then called Jack Murphy Stadium and now find myself looking at stadiums from a totally different perspective.
As Super Bowl 53 approaches, my attention, along with Radware’s ERT, turns to the crowds and the target rich environments created by high profile sporting events. This Super Bowl, like years before, will bring large crowds once again that will demand connectivity and are expected to consume record breaking volumes this year. Extreme Networks reported that last year’s attendees at Super Bowl 52 in Minnesota transferred 16.32 Terabytes of data with a peak rate of 7.867 Gbps! This is an enormous demand for connectivity and the technology involved could poses a security risk for event organizers, partners, sponsors and attendees as their activities in the stadium begin to produce more digital oil–data.
A Seamless Digital Game Day Experience
There are few sporting events in the world as large as the Super Bowl. Last year there was an estimated 103 million viewers. The Super Bowl generates a lot of excitement from media, fans and the public. Beyond the hype of the game itself, there is a variety of multimedia technology available to fans, providing a more immersive and interactive experience. These experiences include Super Bowl Live, a 6-day series of concerts and events in Centennial Olympic Park in Downtown Atlanta, and the Super Bowl Experience, an 8-day event full of exhibits and interactive games inside the Georgia World Congress Center. Other events also include the Verizon Experience, which will showcase how 5G wireless technology will change the fan experience in stadiums going forward (something I’m personally looking forward to seeing).
To ensure Super Bowl attendees have a seamless digital experience, the NFL, Georgia World Congress Center, AMB Sports and Entertainment Group, and leading wireless carriers have made major investments into the construction and deployment of the current networks surrounding the stadium in order to maintain a high quality of service for the attendees and vendors at the Super Bowl. The stadium provides 15,000 Ethernet ports, 1,800 access points and a Distributed Antenna System (DAS), for enhanced cellular coverage. The DAS system is owned by the stadium and rented out to the four major US cellular carries for additional coverage. The stadiums WiFi is also provided by AT&T and consists of two redundant 40gb connections. The stadium also contains 2,000 IPTV for delivering game content provide by AT&T’s DirectTV. These features and network help ensure fans can watch, eat, share, download and communicate their game day experience with others.
When it comes to planning for the future, the stadium has pulled its fiber optics as close to the access points as possible, terminating in mini intermediate distribution frames (IDF) throughout the stadium. The network gear is from Aruba and Hewlett Packard Enterprise while others involved with the network include IBM, Corning and ThinkAmp. Recently, IBM and Corning built one of the more technology advanced stadiums with a blazing fast network for Texas A&M.
What’s more, Mercedes-Benz Stadium also promotes a mobile app. While this app is not as cutting edge as the one for Levi Stadium, for example, it does include information about the stadium, news, scores, as well as viewing, buying and transferring tickets and parking.
Assessing The Risks
There is always a potential risk at large sporting events like the Super Bowl. Even the smallest network outage could leave attendees unable to use their digital tickets to enter the game. Organizations such as the NFL, Patriots, Rams, Georgia World Congress Center, AMB Sports and Entertainment Group, wireless carriers, IBM Cloud, AT&T network or media outlets, as well as those considered partners, sponsors or supporters of Super Bowl 53, should take extra precautions and have an emergency plan in place.
For the Super Bowl, most cybercriminals will be focused on identity and financial theft in the days leading up to the game. These attacks will often be baited with promotions for Super Bowl ticket or a trip giveaway to Atlanta.
One of the other concerns at the Super Bowl will surround protecting critical applications and networks that support the events, hosted both locally and in the cloud. Broadcast networks, industrial control systems, civil-service networks and other related systems are all at risk as well. While there hasn’t been a recent attack of scale reported against the Super Bowl, last year we did witness a piece of malware named Olympic Destroyer that targeted and disrupted the opening ceremonies and entry into the 2018 Winter Olympics.
Indeed, major sporting events create a platform for cybercrime, though recently most cybercriminals have been focused on identity theft by spreading malicious software in a number of ways that’s designed to harvest and steal personal information. Today’s High Density (HD) Stadiums, theaters, arenas and amphitheaters require small cells, WIFI and DAS deployments to serve their demanding environment. Often, the technologies designed to enhance the spectators’ experience, such as Wi-Fi, Bluetooth and other digital services, are easily exploited to harvest information from attendees.
Technology can provide a more immersive and rewarding experience for fans, but it also create problems and security risks for those managing the event. Here are a few tips to consider if you’ll be joining me in the chaos next weekend in Atlanta for Super Bowl 53.
- Charge your phone; you’re going to need that power to capture the experience
- Ensure your phone is updated with the latest operating system
- Disable Bluetooth when not in use
- Disable Wi-Fi when not in use
- Use the official event Wi-Fi when device is in use ‘attwifi’ (there will be no portal or advertisements. Join to Connect.)
- Always use a VPN when using public Wi-Fi
- Be careful when using ATMs – Understand how to spot and avoid card skimmers gathering card data.
- Exercise caution when presented with pop-ups while browsing
- Avoid NFL-related scams delivered via email.