FIFA acknowledged this week that its computer systems were hacked earlier this year for the second time, and officials from European soccer’s governing body fear they also might have suffered a data breach.
UEFA officials were targeted in a so-called phishing operation in which third parties fool their targets into giving up password-protected login details, though the organization has been unable to find traces of a hack in its computer systems.
Commenting on the news are the following security professionals.
Rob Shapland, Principal Cybersecurity Cconsultant at Falanx Group:
“The hack on FIFA appears to have been a very common phishing attack that tricks users into entering their password into a fake version of a website that they recognise, such as Microsoft Outlook. Preventing such attacks requires a multi-level approach, using email defence software to filter out emails that have links masquerading as legitimate sites, combining this with awareness training for staff so they know what to look out for, and regular controlled phishing tests to educate staff on the types of tactics used by nation states and cyber criminals. FIFA may not have been using this approach due to cost or lack of knowledge on how to defend, or it’s possible they just got unlucky and the email bypassed their filters and a staff member clicked the link.”
Paul Edon, Technical Director (EMEA) at Tripwire:
“Hackers are getting ever more creative when it comes to fooling users, and this attack on FIFA is evidence of that. Phishing campaigns are extremely popular and aim to dupe people into giving away personal and financial information, which is why individuals should be vigilant of the links and attachments sent to them. If you believe it could be suspicious then avoid interacting. However, malicious cybercriminals are preying on human naivety which is why these attacks continue to be successful. Granted, it is becoming more difficult to track malicious attackers as they are getting better at mimicking valid content from reputable organisations. The best way organisations and individuals can help avoid future attacks is through education programs, understanding the risks and consequences of clicking unknown links and attachments is a critical defence against Phishing type attacks. Regardless of whether you believe the email to be legitimate or not, never click on inbuilt links. Always open your own web browser and log in to your account on the official website. If there is a legitimate requirement for you to update or re-enter information, it should be referenced within your specific account instance.”
Javvad Malik, Security Advocate at AlienVault:
“While details are unclear at this time as to the exact nature of the breach and targeted information, FIFA suspects legitimate credentials were obtained through phishing users. In such cases, raising awareness of the dangers of phishing to staff is the best first step. In addition, threat detection controls such as behavioural monitoring which can indicate when user activity deviates from the norm can be used to identify compromised accounts.
Nation-state actors are resourceful, and it creates an asymmetric playing field where the attackers often have the advantage of time to understand and work their way into an organisation. So, preventative measures may not always be effective. However, having strong detection controls in place can allow companies to identify where an attacker may have got in, and take the appropriate measures quickly to minimise the harm.”
Tony Richards, Group CISO at Falanx Group:
“While there a number security controls that can reduce the success of a phishing attack, well-crafted spear-phishing or whaling attacks can be hard to defend against, and if an attacker is using captured valid credentials, it will leave minimal traces of the hack.
However, it would seem that FIFA haven’t learned from the previous attacks and have not implemented sufficient security controls.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.