The Super Bowl of Cybercrime
In a time where our world is filled with turmoil and chaos, it sometimes takes a common phenomenon to bring us all together. That’s right; I’m talking about Sunday Funday, The Big Kahuna, The Championship of Commercials, and The Final Countdown.
The Super Bowl is a couple of days away and everyone is getting ready for the big game.
Being a dad and a cybersecurity expert isn’t always fun when combined together. I warned my teenage sons and all of his friends to be on the lookout for targeted spear phishing emails, claiming they won an all-expense paid trip to the Super Bowl. Of course my advice was followed with eye rolls and “OK daddddddd” responses, but at least my voice was implanted somewhere in their brains. After all, all they needed to do was click on a link for the cybercrime ball to get rolling.
And there’s no coming back from that.
Last year at this time I was in Atlanta where the Super Bowl was taking place. I was interviewed live on HLN to warn people about many Super Bowl type scams involving phishing emails. Unfortunately I wasn’t invited to see the game.
This year, I thought it would be no different. However, I turned on the news to discover that ESPN and 15 NFL Teams had their twitter accounts “hacked” by a group purporting to be from Saudi Arabia. I haven’t been on the receiving end of pertinent FBI info for two years, so I can honestly say I hadn’t heard of this group before.
They posted strange messages on the teams NFL pages and then went on to say everybody is hackable.
The one thing that jumped out at me was that the incident was described as a hack, when it really was an account compromise. Now I understand that you may not know the difference if you are not involved in technology or cybersecurity on the daily. So what is the difference you ask?
The level of skill by the bad guy.
Let’s forget that these were all NFL teams and it’s a few days before the Superbowl. Let’s think about it as plain, old social media accounts belonging to any organization, perhaps even yours. What do you think happens when the bad guy steals the username and password for the account? He logs in and takes control over the account, exactly what happened in this instance. How did he get the password? Maybe social engineering, password reuse or keylogger.
Aside from good password hygiene, what CANNOT be forgotten?
2FA. I’ve been telling individuals and organizations for years they need to turn on the two-factor authentication on all of their social media platforms, or the bad guys will take over their platforms and send messages out to all their followers. Exactly what happened here.
Last week I was speaking at a conference to a group of Chief Information Security Officers (CISO), of some pretty big companies. I asked the group how many of them are sure their marketing department had two-factor enabled?
Only two people raised their hands- out of hundreds.
When I asked about their personal account, a few more hands went up. I called a couple of my CISO friends and asked them for their thoughts. Two of them told me they tried and tried and they were overruled each time because the marketing folks didn’t see the need and it wasn’t worth the fight.
I was flabbergasted and rendered speechless, which is rare.
I have the ability to change the behavior of the marketing folks very easily so I was up for the challenge with this particular group. However, if you want to get your marketing folks or anyone else to secure their platform, use this example:
A financial services company uses a social media platform to stay in touch with customers and promote brand awareness, but they do not use 2FA. Cybercriminal Schmuckatelli is able to gain access to the platform and sends a targeted message out to all the followers. The message says for being such a loyal follower of the organization they are being rewarded with a free large hot beverage from their favorite national coffee brand. All they need to do is click on the link. How many thirsty customers would click on the link? Would you? What if you received a social media message from your favorite sports team giving you a chance to win tickets? When you click on the link you are taken to a website that installs a malicious code on your computer. Maybe it’s a keylogger that steals all of your usernames or passwords, or maybe it’s ransomware. Can you afford to not know what to do in any of these situations?
I’m not an expert in marketing, but I think it’s a no-brainer to know if this is good or bad for your brand. So should we get rid of, or limit the use of, social media? I’m not saying that all. All I’m saying is use it securely.
All social media platforms have 2FA and it’s up to you to turn it on.
From your personal account to a huge company like ESPN, no one is spared a hacking or account compromise if you don’t know how to use 2FA properly. Your brand, and your financial security depends on it!
So now that we have this down, you just have to worry about your pick for The Big Game. You could have a lot more riding on it than ever before. Watch what you click, and good luck!