Source: Marcus E Jones via Shutterstock
The outcome of this year's Super Bowl matchup between the Kansas City Chiefs and the San Francisco 49ers on Feb. 11 at the Allegiant Stadium in Las Vegas will likely remain unknown until the last down of the game. But one thing that is already abundantly clear is that attackers will have no shortage of targets to blitz at the event.
The NFL's continuing digitization of almost all aspects of the event, from ticketing to gate access systems and virtually every other point of contact with fans, has opened new vulnerabilities and targets that its security team has had to secure. Concerns include threats to arena security, ransomware attacks on critical systems, phishing and credential theft, and threats to personal data and other sensitive information belonging to fans, NFL employees, players, and coaches.
Preparing for the Big (Security) Game
In a conversation with Dark Reading at the beginning of the 2023/2024 season, NFL CISO Tomás Maldonado had identified AI-enabled phishing attacks and deepfake audio and video scams as adding to the slew of other existing security challenges the league has had to contend with in general.
The NFL itself has been preparing for some time to identify and assess threats to the Super Bowl—easily the most watched TV event each year—and to implement plans for dealing with them. Last September, league officials in coordination with 100 other stakeholders, including the US Department of Homeland Security and the Cybersecurity and Infrastructure Agency (CISA), conducted a tabletop exercise where they ran through a series of attack scenarios that together had a cascading impact on physical systems supporting the event.
That exercise was part of an ongoing effort between the NFL and the other participants to prepare for whatever security challenge might surface at the game. Stakeholders added that the preparation will be especially key considering the heightened geopolitical tensions around events in the Middle East.
The Security Implications of Sporting Event Digitization
Karl Mattson, field CISO at Noname Security, views API-related security issues as likely a big focus for attackers this year, given the NFL's extensive digital transformation in recent years.
"API threats surrounding the Super Bowl come in three areas: the fan digital experience, advertising, and event infrastructure," Mattson says.
The most likely scenario, if an API-related attack were to happen, is a large-scale compromise of NFL fan personal information stolen, which may include authentication or biometric information, he notes. The digital fan experience of purchasing tickets, merchandise shopping, online betting, and other interactions all utilize services enabled by APIs. "Each aspect of a fan consuming the NFL's product involves the exchange of personal or payment information which can be exploited by an attacker who discovers a poorly controlled API," he says.
The same is true for advertisers who air commercials during the event, and set up a new website or service to field consumer response. Without first battle-testing them for a flood of visitors or DDoS efforts, the effort can fumble. Mattson points to the memorable 2022 Super Bowl ad by Coinbase that included only a bouncing QR code, which pointed viewers to a promotion website the company had set up for the ad. The website ended up crashing shortly after the ad aired because of the sheer volume of visitors.
Physical event-specific and public infrastructure to support the Super Bowl are also enabled by API-first technologies. The stadium's 5G network, local security and emergency services, and public utility systems all use API-based services for routine operations that attackers could potentially seek to disrupt, Mattson says.
Online Gambling: A Breeding Ground for New Scams
The rise of online gambling and sports betting opens up a new gridiron for cyberattackers. The phenomenon has created a breeding ground for new and evolving scams targeting events like the Super Bowl, says Stuart Wells, CTO at Jumio.
"A plethora of betting apps and websites are readily available at our fingertips, attracting a wider audience, including younger demographics more accustomed to digital interactions," Wells says. This accessibility, unfortunately, coincides with a rise in synthetic identity fraud, where criminals create fake identities using a false name and bits and pieces of stolen identity information — such as a real birth date and Social Security numbers.
"Synthetic identity fraud, in particular, can be tricky for gaming operators as it makes malicious actors extremely difficult to trace," Wells notes. "If an attacker can bypass defenses and operate under a synthetic identity, they may be able to operate undetected, meaning that operators might not catch a fraudster until a player's account has been manipulated or some kind of fraud has been committed."
Exacerbating the situation is the relative lack of privacy protections in many of the betting apps that people use to make wagers during events like the Super Bowl. A new study by data privacy company Incogni examined seven of the most popular betting apps; most of them are collecting and sharing private data extensively without proper disclosure.
The biggest data hog was DraftKings, which Incogni found was gathering 22 data points from users, including their precise location, contacts, messages, photos, and videos. Betting apps from Caesars, Sky Bet, and William Hill were relatively close behind, gathering 17 data points each, including precise location, in-app search history, health information, and purchase histories. Meanwhile, Caesars led the rest when it came to sharing the data it collects from user devices with third parties.
Super Bowl fans should also expect a surge of fake tickets and counterfeit merchandise in online marketplaces, tempting fans with jerseys, hats, and memorabilia that look real but are cheaply made and lack official logos, Well says.
"All of these scams are likely to make their way to consumers via phishing emails and texts. Consumers should proceed with caution and verify who they are doing business with before handing over any personal information or payment," he warns.
Business Risk From Unauthorized Streaming Sites
Ken Carnesi, CEO of DNSFilter, points to unauthorized streaming sites as a risk for organizations that let employees use unmanaged devices for work-related purposes. Data that the company gathered from its network over the last month showed a sharp increase in blocked sites with "NFL" in the domain name, he says.
"Traffic increased on our network during the playoffs, peaking on Jan. 28, the same day as the AFC and NFC championship game," Carnesi says. "Overall, from Jan. 5 to the peak on Jan. 28, it was a 125% increase in security-blocked traffic."
Risks to organizations that permit work-related devices for personal use without any controls include a heightened likelihood of malware infections and phishing attacks.
"Additionally, these streaming activities can create network vulnerabilities, with insecure channels and peer-to-peer connections posing risks to the organization's data integrity," Carnesi says. "Data exfiltration is also an increased possibility, potentially exposing sensitive company information from illicit sites collecting and misusing user data."