Radio Sputnik discussed this with Troy Hunt, Pluralsight Author, Microsoft Regional Director and Microsoft Most Valuable Professional for Developer Security.
Troy Hunt: This is the same sort of problem we see after things like natural disasters, terrorist attacks or anything else which is a big news story that draws people into a location. And very often we’ll see the allure of something like the ability to watch the World Cup live being used as bait, if you like, and that might then result in things like requests for people’s credentials.
Troy Hunt: I think “draw” is a key word there; it’s something that’s attractive to people and you’ll find fraudsters offering access to the World Cup. You mentioned the wedding, even possibly having access to the wedding information or something which entices people to come and perhaps maybe offer information that they wouldn’t have normally offered if they weren’t being enticed by something so attractive.
Sputnik: Is there any data on how cyber criminals have been using the FIFA World Cup in Russia this year for their malicious needs?
Troy Hunt: I haven’t seen anything quantifiable on the World Cup to say, but it’s a very common pattern where there’s some major international event or newsworthy story and fraudsters will use that because they know what people are going to be looking for it. Perhaps in the case of something like the World Cup people are a little bit excited about the event and might take some shortcuts in the sense of security and provide information that they wouldn’t normally do, because they’re so keen on the event.
Sputnik: What can be done by authorities and security companies regarding the security of fans during this tournament online?
Troy Hunt: Frankly, a lot of this comes down to education because particularly when we get to things like phishing, whether they be phishing emails or phishing websites, this comes back to people making sensible decisions about how they make trust decisions. So who are they going to give information to? Who are they going to perhaps hand over passwords to and sometimes even hand over money to? All the hard technical controls in the world, things like antivirus or flagging phishing sites only go so far so long as we are susceptible to the suggestion, which a lot of these fraudsters use.
Troy Hunt: I think to the point that we’re living in 2018 and we should be getting better at this stuff. On the one hand that’s true, on the other we’re also connected in that there’re so many instances where online services are asking extra information. Frankly, it can be very difficult to tell phishing attacks from real legitimate requests for information. Banks requesting information in ways which, to me, smell completely like a phishing attempt.
In terms of whose responsibility it is, it’s a shared responsibility. We’re increasingly seeing cyber security trying and in corporate environments, we’re seeing governments around the world being better and better at providing information to people about the signs of phishing attacks and fraudulent activity. And we are seeing hard controls improve as well, so we’re seeing phishing sites getting flagged very early. By the likes of Google Chrome, many people have probably seen the big red page saying ”this is a phishing site, leave now.”
So we’re trying to improve at different levels, but as much as we do a good job there, fraudulent activity gets more and more sophisticated as well. What we got to do, and in a case of things like PayPal phishing emails, if you get an email allegedly from PayPal telling you that some sort of action is required, don’t click the link. Go to your web browser, type in paypal.com, go into your account and see what’s on there. And what all the institutions got to do is give people the education and even the opportunity to do independent verification of these messages.
A really good example in verification is I’ve had American Express call me up before and say we’re American Express, we’ve had a fraudulent transaction and we need to confirm your identity and when I challenged them on, they said “well, turn over your card and call us on the phone number on the back of your card.” That’s just fundamentally simple, that’s something that everybody gets and it is an independent means of verifying the authenticity of the caller.