FIFA acknowledged this week that its computer systems were hacked earlier this year for the second time, and officials from European soccer’s governing body fear they also might have suffered a data breach.
UEFA officials were targeted in a so-called phishing operation in which third parties fool their targets into giving up password-protected login details, though the organization has been unable to find traces of a hack in its computer systems.
Commenting on the news are the following security professionals:
Rob Shapland, Principal Cybersecurity Consultant at Falanx Group:
“The hack on FIFA appears to have been a very common phishing attack that tricks users into entering their password into a fake version of a website that they recognise, such as Microsoft Outlook. Preventing such attacks requires a multi-level approach, using email defence software to filter out emails that have links masquerading as legitimate sites, combining this with awareness training for staff so they know what to look out for, and regular controlled phishing tests to educate staff on the types of tactics used by nation states and cyber criminals. FIFA may not have been using this approach due to cost or lack of knowledge on how to defend, or it’s possible they just got unlucky and the email bypassed their filters and a staff member clicked the link.”
Paul Edon, Technical Director (EMEA) at Tripwire:
“Hackers are getting ever more creative when it comes to fooling users, and this attack on FIFA is evidence of that. Phishing campaigns are extremely popular and aim to dupe people into giving away personal and financial information, which is why individuals should be vigilant of the links and attachments sent to them. If you believe it could be suspicious then avoid interacting. However, malicious cybercriminals are preying on human naivety which is why these attacks continue to be successful. Granted, it is becoming more difficult to track malicious attackers as they are getting better at mimicking valid content from reputable organisations. The best way organisations and individuals can help avoid future attacks is through education programs, understanding the risks and consequences of clicking unknown links and attachments is a critical defence against Phishing type attacks. Regardless of whether you believe the email to be legitimate or not, never click on inbuilt links. Always open your own web browser and log in to your account on the official website. If there is a legitimate requirement for you to update or re-enter information, it should be referenced within your specific account instance.”
Javvad Malik, Security Advocate at AlienVault:
“While details are unclear at this time as to the exact nature of the breach and targeted information, FIFA suspects legitimate credentials were obtained through phishing users. In such cases, raising awareness of the dangers of phishing to staff is the best first step. In addition, threat detection controls such as behavioural monitoring which can indicate when user activity deviates from the norm can be used to identify compromised accounts.
Nation-state actors are resourceful, and it creates an asymmetric playing field where the attackers often have the advantage of time to understand and work their way into an organisation. So, preventative measures may not always be effective. However, having strong detection controls in place can allow companies to identify where an attacker may have got in, and take the appropriate measures quickly to minimise the harm.”
Ross Rustici, Senior Director, Intelligence Services at Cybereason:
“This is not the first, nor is it likely the last time we will be discussing a breach of FIFA systems. Its global prominence and history of scandal make it an enticing target for hackers. Known hacks against their networks range from hacktivists to Russian nation state actors. This latest incident is a reminder that cyber security must be front and center of any risk planning. Given the nature of the incident thus far, it appears the primary goal is to embarrass FIFA by leaking information directly to journalists which would be an evolution in how the groups in the past have dealt with the data they stole. Both Football Leaks and the Russian government have traditionally chosen to publicly release the information to ensure that embargoes and balanced reporting don’t undermine the salacious nature of the information being presented. With the outcome of the bidding for the 2018, 2022, and 2026 World Cups being as contentious as they were, I’m sure football fans across the world will have some interesting gossip to read if the leaks become public. However, at the end of the day, that is likely all this hack is.”
Simon McCalla, CTO at Nominet:
“Phishing is one of the oldest tricks in a hacker’s book as it exploits human weaknesses, preying on users who don’t think to check the validity of an email with the original sender. It’s imperative that organisations – large and small – have the right processes and systems in place in order to exercise improved diligence when it comes to stopping phishing attacks.
“To reduce the risk of users clicking on the ‘near to’ domains used – such as replacing john@fifa.com with john@fi-fa.com – deploying a robust anti-phishing system will absolutely help, but you can’t rely on defence systems alone. It’s important to educate users on the dangers of phishing and how to spot suspicious emails too. It’s also essential to instil a culture of security, where staff are encouraged and enabled to check anything that they’re not sure about.
“Perhaps the most interesting aspect of this hack is that FIFA acknowledged they ‘had been unable to find traces of a hack in its computer systems’. This speaks volumes about how hard it is to detect data exfiltration techniques, which are often obfuscated to hide in the massive flows of traffic that leave organisations such as FIFA daily.
“Stricter rules, like GDPR in the UK, would have also expedited the disclosure of the breach thus prompting extra care from busnesses.”
Tim Sadler, Co-founder and CEO at Tessian:
“This hack on FIFA appears to be the result of a classic phishing scam in which an unassuming employee is duped into relinquishing their password details at the cost of their employer. Within an organisation that employs thousands of individuals like FIFA, there are thousands of human vulnerabilities for attackers to target and exploit and huge swathes of highly valuable data to exfiltrate.
To minimise the risk of falling victim to this phishing attack – and any other kind of phishing scam – it is important that FIFA’s employees are sceptical and vigilant. In other words, they should expect to be targeted by fraudsters and respond by treating any request for information or payment in their inbox as suspicious, particularly in the aftermath of this breach. It is also important that staff are trained on the characteristics of a phishing scam, how they operate and how they can financially and reputationally impact their organisation.
However, as FIFA have been hacked twice this year, and strong-form impersonation phishing scams are on the rise and proving increasingly effective, vigilance alone is not enough. The best defence against the rise of phishing, particularly in large organisations with thousands of vulnerable employees like FIFA, is a machine intelligent solution that automatically and comprehensively prevents attacks by analysing the context and content of inbound email. Only then can FIFA’s email networks be absolutely watertight and safe from the threat of phishing.”
Tony Richards, Group CISO at Falanx Group:
“While there a number security controls that can reduce the success of a phishing attack, well-crafted spear-phishing or whaling attacks can be hard to defend against, and if an attacker is using captured valid credentials, it will leave minimal traces of the hack.
However, it would seem that FIFA haven’t learned from the previous attacks and have not implemented sufficient security controls.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.