The coming Paris Olympics and other major sporting events are tempting targets for cybercriminals and hacktivists looking to fatten their wallets, promote causes or pilfer secrets, federal security officials warn.
A Canadian Centre for Cyber Security bulletin published Friday says criminals operating online will very likely try to extort organizations involved in — or located near — major sporting events.
Cybercriminals will also likely try to ensnare individuals, including spectators, through phishing emails and malicious websites, the centre says.
Promises of discounted merchandise, free event tickets or access to a livestream of sporting events can be used to take advantage of people.
During the Olympics in Tokyo, sites prompted users to enter personal information to access event broadcasts, the bulletin notes. "One webpage posing as a television broadcasting schedule also tricked users into allowing browser notifications, then spammed them with malicious advertisements."
Big organizations generate large amounts of personal and financial information through their operations that cybercriminals can attempt to sell through "dark web" marketplaces or use later in scams, the bulletin says.
"Smaller businesses may not normally be targeted by cybercriminals to the same extent as larger organizations. However, we assess that their proximity to major international sporting events very likely makes them more desirable as targets for extortion."
It says this is especially true for the travel and hospitality sectors, which see a boost in online traffic due to events, increasing the amount of sensitive information they store.
The centre highlights a 2020 ransomware attack on an English football club that encrypted nearly all of its devices, paralyzing email, security cameras and turnstiles. Although the club refused to pay the demanded ransom, the disruption still proved costly.
Big sporting events provide an opportunity for hacktivists to widely promote their causes through website defacements, denial-of-service attacks and hack-and-leak operations, the centre points out.
"For example, the anti-government protests in France regarding controversial changes to the minimum pension age is likely a motivation for domestic hacktivism against the 2024 Paris Olympics."
It also warns that state-sponsored cyberthreat actors could target high-profile individuals and organizations involved in events with the aim of collecting sensitive information or gathering foreign intelligence.
While at a hotel in Rio de Janeiro, an International Olympic Committee official logged into the World Anti-Doping Agency database, the bulletin says. Their credentials were then stolen by Russia-backed threat actors and used to export large amounts of data.
"The compromise disclosed personal information, undermined public trust in WADA and affected Canadian athletes, including four members of Canada's women's soccer team."
The Cyber Centre encourages attendees, athletes, government officials and organizations associated with major international sporting events to take "appropriate measures to protect their systems."
This report by The Canadian Press was first published May 31, 2024.