NCSC report reveals how defences of UK sport sector are being tested by cyber attackers, as one football club nearly loses £1 million
The National Cyber Security Centre (NCSC) has published a report that details how the defences of the UK’s sporting sector is being tested by hackers and criminals.
The NCSC (part of GCHQ) even revealed how the emails of an unnamed Premier League club’s managing director were hacked before a transfer negotiation. As a result, the £1m fee almost fell into the hands of cyber criminals.
The money was only stopped from landing in the criminal’s accounts thanks to the late intervention of a bank.
The NCSC report warned that cyber operations against sporting bodies was resulting in blocked turnstiles, hacked transfer deals and fraudulent equipment sales.
“NCSC’s first analysis of threats to the sports industry finds at least 70 percent of institutions suffer a cyber incident in just 12 months,” it warned, before urging sports organisations to implement cyber security measures to prevent cyber criminals cashing in on lucrative industry.
Another sporting incident found by the NCSC saw a member of staff at a racecourse lost £15,000 in a scam involving the spoofing of eBay.
“Sport is a pillar of many of our lives and we’re eagerly anticipating the return to full stadiums and a busy sporting calendar,” said Paul Chichester, director of operations at the NCSC.
“While cyber security might not be an obvious consideration for the sports sector as it thinks about its return, our findings show the impact of cyber criminals cashing in on this industry is very real,” said Chichester.
“I would urge sporting bodies to use this time to look at where they can improve their cyber security – doing so now will help protect them and millions of fans from the consequences of cyber crime,” Chichester added.
Security experts were quick to respond to the NCSC report, and warned that sporting bodies must ensure their bolstering their cyber defences going forward.
“No organisation or sector is safe from cyber threats, and that includes the beautiful game,” said Carl Wearn, head of e-crime at Mimecast.
“Transfer deals are obviously a high-pressure time for many football clubs, with lots of fan pressure to get the deal over the line,” he added. “This pressure can potentially be really detrimental to cyber-hygiene and lead to own goals. In this instance, the attack appears to be an impersonation attack and this variation is definitely on the rise.”
“Football clubs spend millions every summer investing in their team’s defence, but it is time they started investing in their cyber-defence,” said Wearn. “Not investing in their organisation’s cyber awareness will leave cyber-criminals with an absolute tap in, that even a Sunday-league striker couldn’t miss.”
Another expert warned financial executives to be especially careful and ensure they have the appropriate protocols in place.
“This is most likely an attempt at CFO fraud, where exec-level accounts responsible for funds are compromised to wire huge sums of money overseas,” said Chris Boyd, lead malware intelligence analyst at Malwarebytes.
“As the transfer was only prevented due to the bank’s actions, the affected club may not have security measures in place to combat or even detect such a threat in the first place,” said Boyd.
“Confirming transfer amounts over the phone, having agreed protocols in place such as 2FA to authorise transfers, and securing relevant email addresses are a few ways organisations can thwart this type of attack.”
Another expert said that lucrative football clubs are often a tempting target for cyber thieves, especially during summer transfer windows.
“One thing we can say with certainty is that all data has value to cyber criminals, and if they can find a way to exploit it for financial gain, they will,” said Stuart Reed, UK director, Orange Cyberdefense.
“In a business as lucrative as Premier League football it is not surprising to hear that the activity of wealthy clubs has piqued the interest of cyber criminals, especially during the busy summer transfer window when vast sums of money are involved,” said Reed.
“These attacks demonstrate that no-one is immune to this kind of cyber crime, especially in sectors like sport, which is increasingly becoming a high value targets for hackers as sponsorship and TV rights fuel rising profitability in the sector,” said Reed. “It also shows that while these crimes may be ‘faceless’, they are by no means victimless as they can be extremely disruptive and costly.”
Meanwhile Ed Macnair, CEO of Censornet, said it was hardly shocking that at least 70 percent of sports organisations have experienced an incident or cyber breach given the prevalence of cyber attacks today.
“What makes BEC so effective is how the ‘real’ looking emails play on every human desire to please a high ranking executive effectively leaving them open to compromise,” said Macnair. “Traditional pattern matching technologies usually used to catch spam are also useless against this technique – making them so difficult to stop.”
“With approximately 30% of these incidents causing direct financial damage, averaging £10,000 per incident, sports organisations need to adopt email security that combines content analysis, threat intelligence and executive name checking to efficiently protect themselves,” said Macnair.
“Additionally, multi-factor authentication can help to protect compromised user accounts from being used for account takeover and other business email compromise scams.”
Another security expert said that cyber criminals work on locating vulnerable targets that offer a probable payout.
“Cybercriminals are economic rationalists – if they see vulnerable targets that they consider as having a high probability of generating income from a cyberattack, then they’ll shoot at the open goal,” explained Matt Walmsley, EMEA director at Vectra.
“The rapid and wide-scale disruption to operations that ransomware creates means that NCSC’s advice on reducing the attack surface and propagation methods needs to be heeded by sporting organisations and beyond,” said Walmsley.
“However, no defences can be perfect so detecting and responding to the misuse of privileged access credentials and precursor indicators of a ransomware attack manifesting inside an organisation, can make the difference between a contained incident or an organisational damaging outage, breach or financial loss,” he concluded.
Do you know all about security? Try our quiz!