Olympics, A Target for A Growing Number of Cybercriminals - Fortinet

Major sporting events like the World Cup, Super Bowl, and Wimbledon draw in massive global audiences. For instance, the final game of the Qatar 2022 World Cup between Argentina and France reached an impressive 1.5 billion viewers. However, the Olympics stands out as the largest spectacle, with the 2020 Tokyo Olympics attracting over 3 billion viewers worldwide.

These colossal events also present prime opportunities for cybercriminals. Over the last decade, cyberattacks targeting such events have surged dramatically. The London 2012 Games saw 212 million documented cyberattacks, which skyrocketed to 4.4 billion attacks during the Tokyo 2020 Games. These attacks often have direct financial motives, including scams, digital fraud, or acquiring valuable data from attendees, viewers, and sponsors. Enthusiastic fans, in their eagerness, frequently overlook potential risks when purchasing tickets, booking accommodations, or buying memorabilia, making them easy targets for cybercriminals.

Desperate fans looking to view specific events may be lured by malicious websites offering free access, only to have their devices compromised or personal data stolen. Additionally, with global media attention on the event, cybercriminals with political agendas may seize the opportunity to disrupt significant sites or knock critical services offline to broadcast their message to a large audience.

Threat Actors Targeting the Paris 2024 Games

According to a new FortiGuard Labs analysis, this year’s Olympics in Paris has been a target for cybercriminals for over a year. Utilizing publicly available information and proprietary analysis, the report provides a comprehensive view of planned attacks, such as third-party breaches, infostealers, phishing, and malware, including ransomware.

Note the surge in darknet activity targeting French organizations between 2H 2023 and 1H 2024, Credit: Fortinet

FortiGuard Labs has noted a significant increase in resources being marshaled in the lead-up to the Paris Olympic Games, especially targeting French-speaking users, French government agencies and businesses, and French infrastructure providers. Notably, since the second half of 2023, there has been a surge in darknet activity targeting France, with an 80% to 90% increase remaining consistent across the latter half of 2023 and the first half of 2024. The prevalence and sophistication of these threats highlight the meticulous planning and execution of cybercriminals, with the dark web serving as a central hub for their activities.

A Growing Market for Stolen Personal Information and Malicious Activity

Documented activities include the increasing availability of advanced tools and services designed to accelerate data breaches and gather personally identifiable information (PII), such as full names, dates of birth, government identification numbers, email addresses, phone numbers, residential addresses, and more.

For example, French databases containing sensitive personal information, including stolen credentials and compromised VPN connections, are being sold to enable unauthorized access to private networks. Additionally, there is a rise in advertisements for phishing kits and exploit tools customized specifically for the Paris Olympics, as well as combo lists (collections of compromised usernames and passwords) comprised of French citizens.

Hacktivist Activity Spiking

Given that Russia and Belarus are not invited to this year’s games, there has been a noticeable spike in hacktivist activity by pro-Russian groups—such as LulzSec, noname057(16), Cyber Army Russia Reborn, Cyber Dragon, and Dragonforce—that explicitly target the Olympic Games. Groups from other countries and regions are also active, including Anonymous Sudan (Sudan), Gamesia Team (Indonesia), Turk Hack Team (Turkey), and Team Anon Force (India).

Beware of Phishing Scams and Fraudulent Activity

Phishing Kits

Phishing is one of the easiest forms of attack. Many low-sophistication cybercriminals lack the know-how to create or distribute phishing emails. Phishing kits provide novice attackers with a simple user interface to compose a convincing email, add a malicious payload, create a phishing domain, and procure a list of potential victims. Text-generating AI services have also eliminated spelling, grammatical, and graphical errors, making it harder to detect malicious emails.

Typosquatting

FortiGuard Labs has documented numerous typosquatting domains registered around the Olympics that could be used in phishing campaigns. These domains include variations on the name (oympics[.]com, olmpics[.]com, olimpics[.]com, etc.). These are combined with cloned versions of the official ticket website, leading users to fraudulent payment methods where they lose their money without receiving a ticket. In collaboration with Olympic partners, the French Gendarmerie Nationale has identified 338 fraudulent websites claiming to sell Olympic tickets. According to their data, 51 sites have been shut down, and 140 have received formal notices from law enforcement.

Lottery Scams

Additionally, several Olympic Games-themed lottery scams have been identified, many impersonating major brands like Coca-Cola, Microsoft, Google, the Turkish National Lottery, and the World Bank. The primary targets for these scams are users in the U.S., Japan, Germany, France, Australia, the U.K., and Slovakia.

There has also been an increase in coding services for creating phishing websites, bulk SMS services for mass communication, and phone number spoofing services. These offerings can facilitate phishing attacks, spread misinformation, and disrupt communications by impersonating trusted sources, potentially causing significant operational and security challenges during the event.

Infostealers

Information stealer malware is designed to stealthily infiltrate a victim’s computer or device to harvest sensitive information, such as login credentials, credit card details, and other personal data. Threat actors deploy various types of stealer malware to infect user systems and obtain unauthorized access. Initial access brokers can further leverage this information to execute ransomware attacks, causing substantial harm and financial loss to individuals and organizations.

Data indicates that Raccoon is currently the most active infostealer in France, accounting for 59% of all detections. Raccoon is an effective and inexpensive Malware-as-a-Service (MaaS) sold on dark web forums. It steals browser autofill passwords, history, cookies, credit cards, usernames, passwords, cryptocurrency wallets, and other sensitive data. It is followed by Lumma (another subscription-based MaaS) at 21% and Vidar at 9%.

Vigilance is Needed

While the Paris Olympics 2024 is a celebration of athleticism and sportsmanship, it is also a high-stakes target for cyberthreats, drawing attention from cybercriminals, hacktivists, and state-sponsored actors. Cybercriminals are leveraging phishing scams and fraudulent schemes to exploit unsuspecting participants and spectators. Fake ticketing platforms, fraudulent merchandise, and identity theft tactics threaten financial loss and undermine public trust in event-related transactions.

Due to France’s political stances and international influence, the Paris Olympics 2024 is also a prime target for politically motivated groups. It is anticipated that hacktivist groups will focus on entities associated with the Paris Olympics to disrupt the event, targeting infrastructure, media channels, and affiliated organizations to undermine credibility and amplify their messages on a global stage.