[BreachExchange] Sports industry urged to reform cyber security after £1m Premier League phishing scam

Destry Winant destry at riskbasedsecurity.com
Fri Jul 24 10:21:15 EDT 2020


https://www.itpro.co.uk/security/phishing/356548/premier-league-club-almost-lost-ps1m-in-spear-phishing-scam

The managing director of a Premier League football club narrowly
avoided losing £1 million during a transfer window after their email
account was targetted by hackers.

The incident has sparked calls for greater cyber security awareness in
the sporting industry, one that can prove to be particularly lucrative
for hackers.

The unnamed club was saved at the last minute by the other club's
bank, which intervened when it was clear that the money was being sent
to a fraudulent account, according to a National Cyber Security Centre
(NCSC) report.

The incident is almost an exact replica of the successful phishing
scam against Italian club Lazio in 2018, which resulted in €2 million
being lost to scammers.

According to the report, the managing director of the unnamed Premier
League club had entered his credentials into a spoofed Office 365 page
operated by hackers. When the transfer window opened, the thieves
possed as this MD to intercept the transfer negotiations, talking
directly to the European club attempting to buy a Premier League
player. The European club's bank managed to spot the discrepency
during payment in time, halting the transfer.


This is just one of a number of security incidents the NCSC has used
in The Cyber Threat to Sports Organisations report to highlight just
how lucrative the industry is to hackers. According to the report, at
least 70% of sports institutions suffer a cyber incident every 12
months, which is more than double the average of UK businesses.

Another example from the football league saw a ransomware attack shut
down a club's stadium. The hack encrypted all of the club's IoT
devices, resulting in the loss of locally stored data and the shutdown
of its stadium turnstiles, which almost resulted in the postponement
of a fixture.

The club was asked to pay 400 Bitcoin to get its systems back online,
which it ultimately refused. According to the NCSC report, the
attacker remains unknown, but the attack was likely preceeded by
either a phishing email or a remote access hack through its CCTV
system.


"While cyber security might not be an obvious consideration for the
sports sector as it thinks about its return, our findings show the
impact of cyber criminals cashing in on this industry is very real,"
said Paul Chichester, director of operations at the NCSC.

"I would urge sporting bodies to use this time to look at where they
can improve their cyber security - doing so now will help protect them
and millions of fans from the consequences of cyber crime."

Away from football, phishing scams using a spoofed eBay account
managed to pull in approximately £15,000 from staff members at a
racecourse. An organisation that holds athlete performance data also
had a compromised Office 365 email account that had been automatically
forwarding personal information to a hacker's email address.

Around 30% of the incidents in the report caused direct financial
damage, with an average of £10,000 being lost each time. The biggest
single loss was £4 million, according to the NCSC.


More information about the BreachExchange mailing list