With the Super Bowl and NBA All-Star weekend behind us this means March Madness is nearly upon us. I’m sure most of us know about March Madness, which is the nickname for the National Collegiate Athletic Association’s (NCAA) Division I men’s and women’s college basketball tournaments.
Emotions run high around this tournament, as millions of people across America fill out March Madness “brackets” with the hope of predicting the Final Four as 67 games are played over a 3-week period in March and April. I’m a life-long March Madness fan and I absolutely understand the excitement it generates. I even did my college Honors paper on inter-collegiate athletics (men’s football and basketball), how their teams performed, how far they got in tournaments and how that correlated with alumni contributions to the school. I won’t bore you with the findings here, but you won’t be surprised that money flowed in based on results relative to expectations; such is the very personal connection that sporting success generates.
Why March Madness ticket sales are targeted
However, fast forward to the present day and what we find is that, like many other major sporting events, the excitement and enormous interest doesn’t just stop with fans and businesses, but it is also on the radar of many threat actors. Ticket sales for these games represent prime pickings and provide the perfect opportunity for adversaries because they are:
High value – Tickets are expensive, and it is not unusual for fans to buy groups of tickets to go to events together. Therefore, it doesn’t raise suspicion when a high-dollar figure purchase is made by a threat actor.
Controlled through official channels – Meaning fans who don’t want to purchase the ‘Official Ticketmaster NCAA Experience Package” are incentivised to look elsewhere for tickets, which gives fraudsters the perfect opportunity for scams.
Time-critical – Fans rush to buy tickets last-minute as teams go through to the next round. This urgency creates chaos and makes it easier for adversaries to hide in plain sight.
An emotional purchase – As already mentioned, emotions run high, meaning that some of the standard security protocols and learnings about security go out the window in the rush to get many sought-after tickets.
All the above means that pressure on security teams intensifies as they struggle to keep pace, especially when so many purchases happen in a flood once the brackets are set and then when results are known.
Attacks are becoming more sophisticated
Defending the Super Bowl and other high profile sporting events from adversarial attacks that potentially include weaponized AI, endpoint attacks, deepfakes, and finely tuned social engineering skills requires a mix of experienced capabilities and a solid threat intelligence program. Just taking Super Bowl Sunday as an example, this saw a 57% rise in malicious gambling and betting content. There was also a 15% increase in illegal streaming and torrenting traffic related to fake streaming sites during the championship weekend compared to the previous average held between May and December, indicating an escalating risk of security issues tied to these big events.
Another example is the Paris 2024 Olympics and Paralympics. The SOC team recognized how important it is to really understand the threat landscape and what you can expect in terms of threats and attacks. There will of course be some known paths for hackers to exploit, but there will also be areas that are unknown or unexpected and this is where collective knowledge sharing is so important.
To understand potential attack paths, the Olympic SOC team looked at past games to identify who attacked these events and how they did it. Once this analysis had been undertaken, the priority was to determine how the cybersecurity posture and approach might be adapted given this context. This is where arming the team with actionable insights is so important. This includes trying to understand the modus operandi (MO) of the threat actors: who is trying to attack you, do you know their last movements, what facts can you arm the SOC team with to protect against these sorts of attacks?
Working as a collective
I can’t emphasise enough the importance of sharing this threat intelligence and letting others know what you have found, working as a collective to share intelligence between specific companies. The timings of attacks, and methods, and which part of the tournament do hackers and fraudsters attack most? It wouldn’t be unreasonable to think that the Final Four is where efforts are targeted, but threat actors and fraudsters don’t attend the matches, they are in it for maximum monetizable ROI, and this starts right from the earliest games where there are many more excited – and therefore vulnerable – fans to target. Only by sharing intelligence will we uncover their techniques, tactics, motivations and more. This is one of the reasons why we set up our ThreatQ Community, which now boasts more than 500 experienced cyber security professionals sharing intel to level up threat detection and response.
It is important to not only be open-minded about where an attack might happen but to also remember there is an individual aspect to this tournament as well as a business aspect. Individuals desperate to get tickets and support their teams might be accessing questionable sites via their corporate devices, potentially exposing the business to malicious activities.
As well as being alert and proactive before and during major events, it is equally important to undertake a thorough post-event analysis and assimilate the lessons learned, looking back with a critical eye on what happened. What were the trends? What types of attacks did fans, businesses and ticketing companies face?
Be vigilant
It’s hard to recognize some of the risks and scams out there, threat actors are so innovative and creative about increasing their reach and refining the techniques they utilize for attacks. My advice is to be vigilant. Of course, ticketing companies need to be extra thorough during this time, but I would say that we all have a duty as individuals to tell our family and friends if we experience an attack or any form of scam. The more widely we spread the word, the better armed we will all be to recognize that what, on the face of it, looks like a great deal is too good to be true. And remember you can’t afford to be complacent because I guarantee the cybercriminals will be ready to take advantage during March Madness.
