The UK National Cyber Security Centre (NCSC) today highlighted the increasing risks posed by ransomware attacks, phishing campaigns, and Business Email Compromise (BEC) fraud schemes targeting sports organizations and teams, including Premier League football clubs.
According to the cybersecurity agency’s data primarily sourced from an Ipsos MORI survey commissioned by the agency, at least 70% of sports organizations experienced a breach or cyber incident during the last year, with 30% having recorded over 5 incidents during that period, “more than double the average for UK businesses.”
Out of these incidents, roughly 30% have also caused average financial damage of £10,000 ($12,700), with the biggest single loss reported being of more than £4 million (almost $5,100,000).
“As the sports sector recovers from the impact of the coronavirus pandemic and continues to plan for the future, the NCSC is urging organizations to consider the findings of its report and follow its advice, such as putting in place security controls – often at low cost – and backing up data,” the agency said.
We are urging sports teams and organisations to strengthen their cyber security defences after a new survey revealed that 70% have been attacked by cyber criminals in the last 12 months… https://t.co/aesmuNcuAS pic.twitter.com/ZfDiL78o5R
— NCSC UK (@NCSC) July 23, 2020
BEC fraud targeting football clubs, sporting orgs
Among the attacks highlighted in the report, the NCSC mentions two BEC fraud attempts — the biggest threat to sports organizations per the agency — against a Premier League football club and a UK sporting body via compromised Office 365 accounts.
The football club’s Managing Director fell victim to a spearphishing attack which allowed fraudsters to use his credentials as part of a scheme designed to help them steal almost £1 million by redirecting payments part of an agreed a transfer with a European club.
Even though the transaction was approved after the scammers switched the real bank account with one under their control, the payment didn’t reach their account because of an automated bank fraud marker.
Fortunately, the payment did not go through. The cyber criminals’ account had a fraud marker against it and the bank refused the payment. This highlighted the attempted fraud to the FA and the victim club. – NCSC
In the case of the UK sporting body, attackers set up Office 365 auto-forwarding rules to external email accounts and managed to re-route almost 10,000 emails, some of them containing personal data on more than 100 individuals
“The organization did have a policy of enforcing strong passwords, but at the time of the incident had not enabled MFA for Office 365,” the NCSC report reads.
“Following the incident, the company implemented MFA for all Office 365 accounts and for other online applications processing sensitive data.”
Ransomware behind 25% of all malware attacks
As the NCSC says, roughly 40% of all attacks on sports organizations involved malware, with at least 25% of them involving some strain of ransomware.
In a ransomware incident targeting sports orgs highlighted by the UK cybersecurity agency, an English Football League (EFL) club was the victim of a ransomware attack that lead to all its security and corporate systems being encrypted.
“Several servers were also affected, leaving the club unable to use their corporate email,” according to the NCSC. “The stadium CCTV and turnstiles were non-operational, which almost resulted in a fixture cancellation.”
The attackers asked the club to pay a 400 bitcoin ransom (roughly $3,800,000) to decrypt the data from all endpoints and servers.
The EFL club refused to pay and the attack led to financial damages in the range of several hundred thousand pounds after remediation and including lost income.
The attack vector remains unknown, but the initial infection was likely enabled by either a phishing email or remote access via the CCTV system. All systems at the stadium were connected to one network (VLAN). This meant that the infection spread across the estate quickly. – NCSC
“While cybersecurity might not be an obvious consideration for the sports sector as it thinks about its return, our findings show the impact of cybercriminals cashing in on this industry is very real,” Paul Chichester, NCSC Director of Operations, said.
“I would urge sporting bodies to use this time to look at where they can improve their cybersecurity – doing so now will help protect them and millions of fans from the consequences of cybercrime.”