Hacking

SPOTLIGHT ON SECURITY

Beware the Ides of March Madness

NCAA Final Four basketball

Don’t lose your shirt while betting on teams competing in the March Madness NCAA basketball tournament. If you ignore the Ps and Qs of cybersecurity this year, you might well shell out a lot more than what you bargained for.

The 2022 men’s’ March Madness tournament tips off with “Selection Sunday” airing on CBS March 13 at 6 p.m. ET, followed by the “First Four” games March 15-16 at UD Arena in Dayton, Ohio, and concludes  with the NCAA championship game April 4 at Caesars Superdome in New Orleans.

This annual event is a most-popular time for betting pools and bracket challenges — when employees often use websites, online platforms, or shared spreadsheets to organize.

Also a Phishing Event

Hackers have countless ways to entice you to engage with them. These ruses include the promise of bigger winnings or insider information about teams, according to Hank Schless, senior manager for security solutions at endpoint-to-cloud security company Lookout.

“Threat actors view this event as low-hanging fruit for social engineering and phishing. They easily can spoof the URL of popular sports and betting websites like ESPN, DraftKings, and FanDuel,” he told TechNewsWorld.

Recent reports abound of attackers using fake share links from Google Drive and Office 365 to trick enterprise users into giving up their login credentials. This is a tactic that could realistically be used here as well, he warned.

Phishing has become the most popular way for attackers to gain initial access to corporate infrastructure. Heavy reliance on the cloud means users can log in from anywhere, which is great for enabling productivity.

“But this also introduces risk if your IT and security teams lack visibility into the context under which users access apps and data,” he said.

Enticing Yet Unsafe Offers

Cyberattackers use events like March Madness as a way to entice their targets and get them to overlook any red flags that indicate malicious intent. When it comes to phishing for credentials, a simple text or social media message can be highly effective, observed Schless.

He advises playing it extra safe this year with cyber intrusions at an all-time high. Be on guard against the risk of unauthorized users gaining access to your sensitive data. Use security software to detect and block phishing attacks as well as web traffic from any device to cut connections to malicious sites.

“In addition, you need to have visibility into the context under which users are logging in to your infrastructure and access data. Anomalous locations, devices, and the number of login attempts can all be signs of compromised credentials,” he said.

Breeding Grounds for Trouble

All major sporting events can create a spike in phishing scams, fake domains, and adware, admitted Jasmine Henry, field security director at cyber asset management and governance firm JupiterOne.

“March Madness creates a unique amount of risk to employers since it takes place during business hours when fans are generally using work-issued devices and network resources,” she told TechNewsWorld.

Security leaders should consider if a brief update to their acceptable use policy could lower March Madness security risks, she offered. If official NCAA and ESPN web properties are blocked on the network, sports fans will find alternative ways to watch the streams and may end up using sketchier, malware-riddled websites to get around the policy.

“Security pros should also communicate with users about which risks to look for in their inboxes and text messages, including links, attachments, and bracket invites that are sent by a threat actor instead of a colleague,” suggested Henry.

Compromise Comes Through Chaos

The chaotic atmosphere of March Madness provides the perfect cover for bad actors looking to commit cybercrimes. Popular sports and betting apps typically do a good job of remediating critical vulnerabilities as soon as they are identified, according to Ray Kelly, fellow at NTT Application Security.

“However, fans of March Madness need to make sure to update mobile apps often, as security fixes are deployed within these updates via the App Store and Google Play,” he told TechNewsWorld.

Users are more likely to have their personal information compromised through targeted email or SMS phishing campaigns. It is relatively easy for hackers to create emails or landing pages that look legitimate and lure users to enter their personal information into a malicious site, he explained.

“A good rule of thumb is to never open links sent via email. Rather, it is much safer to always go directly to the website or mobile app,” Kelly urged.

Click Carefully Without Abandon

With March Madness nearly upon us, working professionals and sports fans alike are starting to prepare schedules to fill out their bracket and stream the games online. In doing so, we click with little thought of safety, observed Joseph Carson, chief security scientist and advisory CISO at privileged access management (PAM) provider Delinea.

“We are a society of clickers. We like to click on things. Hyperlinks, for example,” he noted.

Always be cautious of receiving any messages with a hyperlink included, he told TechNewsWorld. Before clicking, ask yourself, “Was this expected?” or “Do I know who is sending this?”

On occasion, check with the sender if they actually sent you an email before you aimlessly click on something that might be malware, ransomware, a remote access tool, or a virus that steals or accesses your data, suggested Carson.

“Before clicking, everyone needs to stop and think. Check the URL, make sure the URL is using HTTPS, also check that this URL is coming from a legitimate source,” Carson said. “Discover where the hyperlink is taking you before you click on it as you might get a nasty surprise.”

Remember Old School Tools

There might be a worthy retro experience to ensure security this March Madness season, cautioned Richard Fleeman, vice president of penetration testing ops at cybersecurity advisory firm Coalfire.

“Consider managing office pools via the old school methods of manual tracking, and utilize one person to coordinate. If you use a document to track, consider sharing that document via Box, Google Docs, etc.,” he told TechNewsWorld.

Fleeman also suggested three more safety court approaches:

  1. Consider using known and trusted platforms for March Madness brackets, tracking, bets, and spreads. Stick with the known Yahoo, ABC, ESPN, etc.
  2. Continue to maintain proper cyber hygiene. Use multi-factor authentication, use a password vault to generate unique passwords, inspect email headers, and URL links. Do not open unknown attachments, bookmark, and log directly into the online platform rather than clicking links in an email, etc.
  3. Be wary of applications leveraging common authentication frameworks and third-party trust — Google Auth or Facebook — without inspecting the elements requesting access or trust. Blindly permitting access and trust could potentially open your accounts to compromise.

Once your cybersecurity house is in order — enjoy the games!

Jack M. Germain

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Hacking

Technewsworld Channels