Hackers Target UK Sports Sector to Steal MillionsReport Describes Vulnerabilities in Sports Organizations' Cybersecurity
A Premier League football club, which was one of many UK sports organizations targeted by cybercriminals over the last 12 months, was nearly bilked out of £1 million ($1.2 million) in a business email compromise scam, according to a National Cyber Security Center report that describes a variety of scams.
The report states that 70% of U.K. sports institutions were targeted by cyber incidents. In addition to BEC scams, those included having stadium turnstiles blocked and being victimized by fraudulent equipment sales. About 30% of the incidents resulted in financial losses, which averaged £15,000 ($19,000). The largest loss was more than £4 million ($5.1 million).
Robust Controls Needed
NCSC, the public-facing arm of Britain's intelligence agency GCHQ, is urging sports organizations to implement more robust cybersecurity protocols.
"While cybersecurity might not be an obvious consideration for the sports sector … our findings show the impact of cybercriminals cashing in on this industry is very real," says Paul Chichester, NCSC’s director of operations.
Chichester urges sports organizations "to look at where they can improve their cybersecurity - doing so now will help protect them and millions of fans from the consequences of cybercrime.”
The NCSC states that about 30% of the sports organizations do not regularly patch their systems. Some 56% of teams’ and sports facilities’ payment systems, turnstiles and CCTV networks are remotely accessible by third parties, offering easy entry into the team's network. The report also notes that 20% of organizations do not create separate user accounts for their payment systems, while 30% don’t have separate accounts for CCTV and industrial control systems. Nearly a third of organizations lack network segmentation.
The report describes how an unnamed Premier League team was targeted by a BEC scam timed to take place during the league's transfer window - the period when players are traded and acquired. The team's managing director had his Office 365 credentials stolen in a spear-phishing attack. The attacker then used the credentials to monitor the teams' negotiations over a potential player deal that was worth almost £1 million.
When the deal was about to be completed, the attacker inserted himself into the middle of the email conversation, according to the report.
"The attackers assumed the identity of the [managing director] and communicated with the European club. Simultaneously, they created a false email account and pretended to be the European club in communications with the real managing director. The cybercriminals sent an amended payment request to the managing director, changing the real bank details to an account they had control of," according to the NCSC report.
The deal was approved by the league, but the money transfer was stopped when it was discovered that the attacker's bank account was marked as fraudulent, the report notes.
Additional Attack Methods
The NCSC report also found sports clubs were targets of additional attack methods. For example:
- 75% of sports organizations reported having received fraudulent emails, calls and text messages;
- 61% reported that these malicious communications directed staff to fake websites;
- 40% reported they had been targeted by malware;
- 25% reported they had been victimized by ransomware.
The report notes that an English Football League club incurred losses after a targeted ransomware attack crippled the club's corporate and security systems. As a result, CCTV cameras and turnstiles at the stadium failed to operate, which led to the cancellation of a game.