Posted by Taylor Armerding on July 12, 2018
Nobody with any connection to, or interest in, the FIFA World Cup can say they weren’t warned.
In the days leading up to the quadrennial world championship of European football (or soccer), security experts put the word out constantly that everybody involved—players, organizers, staff, and spectators (including those watching on TV or online)—would be a prime target for cyber attacks.
So it should be no surprise that with the month-long event reaching its climax—the semifinals this week, with the championship coming on Sunday—the efforts to use the event as leverage to trick participants and fans into falling for malicious scams are also in full swing.
Researchers at ClearSky reported recently that a spyware campaign dating back to January, aimed at members of the Israeli Defense Force (IDF), was repurposed to target World Cup fans with an Android app called Golden Cup.
In a report published in March titled Hamas’ Cyber Terrorism, the IDF blamed the militant Palestinian group for the original campaign.
Not that this is a major escalation. Cyber attack efforts have been at a fever pitch since before the games began. In the days leading up to the event, World Cup–themed spam email was flooding inboxes while fake webpages offered fake giveaways in an effort to steal money and personal information.
And Symantec researchers said Golden Cup is not terribly sophisticated. Roy Iarchy and Eyal Rynkowski noted on the company blog that it looked like a rush job, since the original campaign, which used seductive fake female Facebook profiles to try to get Israeli soldiers to download malicious apps named GlanceLove and WinkChat, had not been that successful.
Perhaps that’s because, according to the IDF, the fake seducers had lousy Hebrew, which they tried to explain by saying they were recent immigrants.
“We assume [Golden Cup] was rushed because, unlike GlanceLove, it lacked any real obfuscation,” they wrote.
Rush job or not, Golden Cup, which offered users streaming services and a scores hub, made it past Google’s security screening into the Google Play Store, using what the Symantec team said was a phased approach in which the developer doesn’t add any malicious elements until after the app is live in the store.
This, noted Steve Giguere, lead sales engineer with Synopsys Software Integrity Group, makes it especially tricky for fans to avoid.
“The traditional warnings about not downloading applications from third-party sources fall by the wayside in this case, as even victims vigilantly using only the Google Play Store are vulnerable,” he said.
“The attackers have essentially used a legitimate app, which does appear to do what it says from a pure features perspective, simply as a pivot point to gain access to the Android device, after which further additional malicious payloads are downloaded, turning Dr. Jekyll into Mr. Hyde.”
Since the ClearSky report, Google has removed Golden Cup from the Play Store, which should eliminate most of the threat. But its existence confirms the warning William Evanina, an FBI agent and director of the U.S. National Counterintelligence and Security Center, issued last month at the start of the games. He told Reuters that for those planning to attend the event, if there was ever an opportune time to disconnect from the World Wide Web, this would be it.
He said any electronic device—mobile phone, tablet, laptop, PDA—would likely be hacked either by criminals or by the Russian government.
He acknowledged that high-profile people—corporate and government officials—would be the most attractive targets, but that anybody and everybody is a target.
“If you can do without the device, don’t take it. If you must take one, take a different device from your usual one and remove the battery when not in use,” he said.
Of course, Golden Cup was trying to ensnare Android users anywhere—not just those attending the World Cup. And victims who were fooled by the pitch likely had their devices, and in some cases themselves, turned into an open book.
As Keumars Afifi-Sabet put it in the U.K.’s IT Pro, “the spyware’s functions span from collecting more information about the devices to recording phone calls. The attackers can track location, upload images and video files, upload contacts information, upload SMS message history, record audio using the microphone, and use the camera to capture bursts of snapshots.”
Most of the threat has now been eliminated. Besides Golden Cup being removed from the Play Store, the IDF said the campaign against its soldiers has been exposed. But for those who fell for it, that is obviously locking the barn door too late.
And it should serve as another warning to be hypervigilant about your online activities if they are associated with any high-profile event.
In a recent post on IT ProPortal, Giguere offered a few reminders on how to stay safe:
“Treat your digital information and property like you would physical property. You lock your door and set the alarm before you leave the house, right? You probably don’t make it a habit to leave your wallet on display. You may even have a fire extinguisher and a smoke alarm if you’re particularly mindful.
“These activities are all normal to us. Applying the same level of pro-active security to cyber-threats is a long way from common knowledge, but protecting yourself from cyber threats starts with understanding the threats better and using basic things like password managers, email scanning software that alerts you to phishing emails, and being very wary of any software you allow to run on your phone that asks for permissions you aren’t familiar with.
“Finally, keep your devices and software up to date.”
Get the latest AppSec news and trends sent directly to you.