Protection tips for the upcoming FIFA World Cup themed cybercrime campaigns

With just four days until the FIFA World Cup begins, cybercriminals have already started showing their interest in taking advantage of the event. Considering that, these threats and exploitation tactics prone to intensify throughout the entire event, let's review some of the most commonly used attack vectors, and discuss the risk mitigation strategies for each and every one of them.

With just four days until the FIFA World Cup begins, cybercriminals have already started showing their interest in taking advantage of the event, by launching targeted malicious PDFs/malware serving campaigns, blackhat SEO and fraudulent propositions, followed by lottery winning notifications/letters of claim themed scams.

Considering that, these threats and exploitation tactics are prone to intensify throughout the entire event, let's review some of the most commonly used attack vectors, and discuss the risk mitigation strategies for each and every one of them.

The threats and the fraudulent schemes

The following list doesn't aims to achieve conclusiveness, instead it would discuss the most prevalent threats based on the historical "performance" of malicious attackers, and scammers in general.
  • Targeted malware attacks serving client-side exploits -The combination of a recently announced zero day flaw affecting Adobe's most popular products, and the global proportions of the FIFA World Cup, clearly offer a malicious attacker the opportunity to capitalize on the event. According to Symantec, based on the campaigns analyzed since April, malicious PDFs continue representing the highest percentage of malicious attachments - .pdf 41%.exe 18%.doc 14%.xls 7%.scr  4%.ppt 1%. Their findings confirm the findings from a related report, indicating that outdated Adobe flaws for which patches are available, represented 80% of all exploits for 2009. What's driving the success of these malicious campaigns? With or without the recent Adobe zero day, the malicious attackers have realized that just because a patch is available, it doesn't necessarily mean that hundreds of thousands of Internet users are patching themselves. And they should.
  • 419/Lottery Scams - According to the 2009's IC3 Internet Crime Report, advance fee fraud represented 9.8% of all complaints. The percentage is naturally much higher due to the unknown number of people that didn't report the fraud. Largely underestimated as a serious threat, lottery scams usually cost a small fortune to the affected victim. And due to their targeted nature -- the majority are sent manually and usually originate from Africa based IPs -- the scammers often succeed in tricking the gullible user. Once the user, now victim, is hooked, the "Winning Notification" slowly transforms into a advance fee based fraud, where in order to obtain the millions that you never really won, you would need to send back a decent amount of money. Don't.
  • Blackhat SEO (Search Engine Optimization) campaigns serving scareware - Blackhat SEO, involves the process of on purposely hijacking trending buzz story across the web, in order to capitalize on the hijacked traffic by serving client-side exploits, or most commonly scareware. There's a common misunderstanding regarding blackhat SEO campaigns these days, with a large number of users thinking that a cybercriminal is manually monitoring these trending topics in order to hijack them. Which is not true, since the process is semi-automatic, in fact on the majority of occasions they aren't even aware that they're targeting a particular topic.
  • Spamvertised fraudulent offers, phishing attempts - According to the 2009's IC3 Internet Crime Report, non-delivery of merchandise and/or payment represented 11.9% of all the complaints. Moreover, the scammers are also well known for keeping track of different promotions, which they can easily brandjack and attempt to obtain sensitive data from the affected users. One of these examples is Visa's "Go Fans" campaign - "Phishing samples spammers are targeting the Visa brand, which is one of the six global FIFA partners. Visa announced a “Go Fans” promotion offer in which card holders get the chance to win a trip to South Africa to experience the 2010 World Cup matches. Aware of the fan frenzy involved with watching live World Cup games, phishers are in the right (albeit criminal) business of trying to make money out if it."

Sample FIFA World Cup 2010 themed Lottery Scam:

Sample targeted campaign, using malicious Excel files:

Risk mitigation strategies

  • Targeted malware attacks serving client-side exploits - With malicious PDFs representing such a high percentage of the exploits used, perhaps an alternative PDF reader such as the Foxit Reader, is worth considering. As well as: taking care of outdated third-party applications in combination with NoScript and least privilege accounts, or complete sandboxing/isolated web browsing, in order to ensure that what happens in the sandbox, stays in the sandbox.
  • 419/Lottery Scams - Although the professional layout of these messages is improving, perhaps the single most important mitigation strategy, one that no software vendor can provide you with, is the lack of gullibility when someone tells you that you've just won 1 million dollars. Don't be naive, and once you spot the scam, consider reporting it.
  • Blackhat SEO (Search Engine Optimization) campaigns serving scareware - The protection tips for mitigating client-side exploits serving campaigns, fully apply to the scareware threat. For additional information on what exactly scareware/rogue security software is, and how to protect from it, consider going through the "The ultimate guide to scareware protection".
  • Spamvertised fraudulent offers, phishing attempts - despite the fact that millions of people admit they click and interact with spam/phishing emails, these emails are not longer 100% fraud oriented, but often as the first touch point for a targeted client-side exploits serving campaign. Therefore, avoiding any interaction with them, next to reporting them as spam, is highly recommended.