How crooks are pulling off Brazil Olympics scams
What tricks are targeting fans and even casual observers of the 2016 Games in Rio?
The official web site of the Rio Olympics counts down the days, hours, minutes and seconds to the start of the Games, August 5. As the clock ticks, crooks know they are running out of time to turn your Olympic fever into cold, hard cash.
They’re trying to meet up with you on e-mail, online, on social media. “Do not miss this opportunity,” one Olympics Facebook page says, as it instructs you to go to a special raffle website and sign up for two tickets to the Games.
The drawing, however, is fake, and signing up could end up with you losing far more than the chance to hold Olympics tickets in your hand, according to cybersecurity experts at Kaspersky Lab.
“It is clear that using the Olympic Games theme is very attractive to the bad guys,” Kaspersky security researchers wrote in a new post this week. Archer News spoke with Kaspersky’s Dmitry Bestuzhev about Olympics scams in a report last month.
So far, the number of cyber attacks with a Rio 2016 theme is lower than the “impressive” wave of cyber assaults during the 2014 World Cup in Brazil, the researchers said. “However, the bad guys have no limit when it comes to creating new attacks,” they added.
One of the popular cyber crimes right now—fake tickets.
You may get an e-mail saying you won a lottery for tickets, or you may see an ad offering tickets at a very low price, the researchers said.
One fraudulent offer they cited sold men’s soccer tickets for $50 and opening ceremony tickets for $500, much lower than the going rates.
If you buy tickets through these scam sites, you may end up with an unpleasant surprise.
“In order to keep the buyer in the dark for some time, the scammers assure them that the payment has been received for the tickets and that they will be sent out two or three weeks before the event,” said Kaspersky analysts Tatyana Shcherbakova and Andrey Kostin in a post.
“As a result, the criminals not only steal the victim’s money but deprive them of the chance of attending the Olympics – by the time they realize they won’t be getting the tickets they booked it will be too late to buy genuine tickets… especially if there’s no money in their bank account,” they said.
Watch from afar
Seeing the Games in person could prove difficult at this point.
“If you want to watch the games, it’s too late to buy tickets via the official channels,” the researchers wrote. “We do not recommend buying through unofficial markets as there is a high possibility that you are buying a pig in a poke.”
The researchers advise you to view the Games on TV or online. But they warn that cyber crooks are adjusting their tactics to match.
One phishing e-mail looks like a special offer promising a good deal on a big screen TV, just in time for the Olympics.
“LED TV promotion for 2016 Brazil Olympic Games,” it says, according to Kaspersky. “We will try our best to satisfy you as per your detailed requirements.”
“Taking any of these e-mails seriously enough to reply to them could well leave you out of pocket,” analysts said.
You might check a site’s domain name to see if it an official site. But researchers said the fakers are busy masquerading their domain names to try to trip you up.
The words “rio” and “rio2016” are popular words in new domain names popping up.
Kaspersky Lab said it has already blacklisted 230 bad domains, many used for fake ticket sales, but some sites may still be lying in wait for you to watch the Games online.
“Some of these domains are hibernating, waiting for the right moment to start an attack (especially those promising free streaming),” the researchers said. Malicious streaming sites like these can infect your computer and steal your data.
What is going on?
If cyber crime were a sport, Brazil might find itself a multiple medal winner.
Kaspersky says it is the most attacked country in the world for phishing scams—even employees of the Olympic Games were targeted for their “potentially lucrative” passwords and user names.
Brazilian companies also took top ranking for the poorest cybersecurity in a report by cybersecurity company BitSight last month, according to Reuters. And there is more.
“Brazil is the second most attacked country in terms of online banking fraud and financial malware. And the problem is getting worse,” said Nathan Thompson of the Igarape Institute, which calls itself a “think and do tank.”
He said the number of reported cyber crime incidents in Brazil jumped almost 300% in 2014, and about $4 billion is spent each year to try and bring those numbers down.
“The Olympic Games has put the issue of a ‘reliable cyberspace’ front and center,” he told Archer News.
Saving the Games—online
Games organizers are working to cut down on Olympics-related cyber crime with a “very active” security operations center, Kaspersky researchers said.
The Brazilian Army announced it is hiring 200 military specialists and technicians to guarantee cybersecurity during the Games, said Thompson.
“Their focus is primarily on protecting critical infrastructure and services and defending against state-sponsored interference and lone wolf attacks,” he explained. They will also try to protect public and private websites, he added.
“The threat to most tourists, however, will be more casual cyber crime,” Thompson said. “Although many of Brazil’s financial institutions and service providers have invested in improving cybersecurity, there will still be risks.”
Risks for visitors
If you go, you will find tricks and traps awaiting you at hotels, airports and the Olympic Games sites.
Some crooks will set up fake Wi-Fi access points, reported the Kaspersky researchers.
They visited Olympic Park, the Brazilian Olympic Committee building and the three stadiums in Rio to see how many Wi-Fi hotspots are available and how secure they are. They found 4,500 access points, and about one out of five were not secure.
“That means that all data sent and received in such networks is not protected by any encryption access key,” they said. “Their focus for the attack is user’s passwords, credit cards and other sensitive personal information.”
Another 7% of Wi-Fi access points were using obsolete technology, so they looked secure, but could be easily broken.
“In our opinion this is especially concerning as users who connect to their ‘trusted’ networks may believe that they are actually connecting to a secure network, when in reality it could be compromised by an attacker, who could deliver different kind of attacks to manipulate network traffic with user’s data,” they said.
Their solution—always use a VPN, a virtual private network, when connecting to public Wi-Fi. They recommend you check to make sure your VPN has its own DNS servers as well.
Charging your phone
In Brazil, you’ll see helpful phone charging spots at the airport, at your hotel, and even in the taxi you grab to head to the stadium. Convenient, but also risky, according to the researchers.
If you plug your phone into a public charging cable, or if you plug your charging cable into a USB port, you could open the door for cyber invaders.
“While connected via USB, the attacker can execute commands in order get information about the device including the model, IMEI, phone number and battery status,” they said. “With that information it is possible to run an attack for the specific phone model and then successfully infect the device and collect personal information.”
They suggest you:
- Always use your own charger and avoid buying one from unknown sources.
- Use the power outlet instead of USB socket when using an unknown charging point.
- Don’t use the charging cables at a public charging spot.
You might leave a copy of your credit card behind in Rio—though not intentionally.
“Unfortunately, Brazil is well known for its credit card cloning activities and it is not hard to find someone who had their card cloned while visiting the country,” the researchers said.
You can use your credit or debit card almost everywhere, even with street vendors, they said. But the card payment device may be saving your info for collection later.
They suggest you:
- Never give your card to the retailer. If for some reason they cannot bring the machine to you, you must go to the machine.
- If the machine looks suspicious, change the payment method. It is always good to have some money with you as a back-up.
- Before typing your PIN make sure you are on the correct payment screen and that your PIN is not going to be shown on the screen.
It can be hard to protect yourself from this kind of attack, but you can sign up for text notifications from your bank every time your card is used to buy something, they advised.
“Even though it does not avoid card cloning, the victim will be notified about the fraudulent transaction as soon as it happens then it can contact the bank in order to block future transactions,” they said.
In some cases, Olympic cyber crime is a team sport.
Gangs of crooks install skimmers on ATMs in Brazil—one gang put 14 skimmers on cash machines at the Rio International Airport in 2014, researchers noted.
Crooks may work together on the fraudulent ticket sites as they “go for the gold”—your gold.
“According to our research, the creation of fake sites usually involves well organized, fraudulent, international gangs,” said Kostin in a statement online.
“They split tasks, so that each small group is responsible for a separate part of the work. For example, one group creates websites, the other registers domains, another collects and sells the victims’ personal information, etc.,” he added.
You should team up with the official Olympics organization to compete, Kaspersky analysts said. Check the official Olympic Games site for a list of ticket sellers and only buy from authorized sites. The official site also has a guide to help Olympic fans avoid scams.
“Also, we strongly recommend not buying anything in stores advertised in spam mailings or advertising banners, whether it’s tickets or souvenirs related to the Olympics,” they added.
“For those who cannot resist impulse purchases, we recommend getting a separate bank card that is only used for online payments and which only ever has small sums of money on it. This will help to avoid serious losses if your banking information is stolen,” they said.