Fans around the world clamored online, and even in-person, over the past several weeks to enjoy the thrill of competition. From the Tour De France and EURO 2020 tournament in June to the recent Summer Olympic Games in Tokyo, fans were eager to cheer on their nations and make a little money in the process, too.
As fans placed their wagers on individual matches through online betting sites, Imperva Research Labs noticed a suspicious rise in bot activity on both sporting and betting sites, coinciding with these global sporting events. In addition to bot-driven comment spamming and content scraping, Imperva also monitored a rise in account takeover (ATO) attacks — designed to break into accounts and gain access to gamblers’ digital wallets — in the weeks leading up to and during these events.
EURO 2020 (11 June – 11 July 2021)
In the weeks leading up to the start of the EURO 2020 tournament in June, Imperva Research Labs monitored a 96% year-on-year increase in bot traffic on global sporting sites. In particular, UK gambling sites were heavily targeted by bot operators in the week before England and Scotland kicked off their respective campaigns. The days when the England national team played were particularly high risk, with account takeover (ATO) attacks – designed to break into accounts and obtain gamblers’ digital wallets – spiked by 2 or 3 times the daily average compared to other days during the tournament.
As a big betting nation, Australia also experiences these spikes around major sporting events including the AFL, NRL and the Melbourne Cup, according to Reinhart Hansen, Director of Technology, Office of the CTO at Imperva.
“The cyber criminals are targeting these events because of the monetary gain that can be had – whether it be stealing personal data for identity theft, or credit card information to conduct financial fraud. Gambling sites are a lucrative target for ATO attacks because user profiles often have financial information or even funds stored. Therefore, punters need to be extra vigilant when participating in online betting or gambling and practice good security like using strong passwords and using multi-factor authentication where possible.”
Tour De France (26 June – 18 July 2021)
In June, bot activity on sporting and gambling sites spiked 52% as the race was scheduled to begin. Bot comment spammers were pervasive, with traffic increasing 62%. The spammers took advantage of the interest in the event to post comments in Russian about an array of topics including: adult sites, crypto, coupons/discounts, casino sites and loans and investment opportunities.
Tokyo 2020 Summer Olympics (23 July – 8 August 2021)
During the first week of the Olympic Games, Imperva Research Labs monitored a significant spike in search engine impersonators. Incoming traffic to sporting sites saw an unusual 48% increase in Yahoo impersonators, 66% increase in Baidu impersonators and 88% increase in Google impersonators. As the Olympics rounded into week two of competition, the volume of browser impersonators grew by 103% above average. Bad bots typically masquerade as legitimate users by reporting their user agent as a web browser or mobile device to avoid being detected. The increase may be related to bots either crawling or scraping sites for real-time information.
More alarming was the large increase in web traffic throughout Japan coming from IPs known to perform account takeover attacks before and during the first week of the Olympic Games. ATO attacks grew 43% the week prior to the start of the Olympic Games, and spiked 74% during the first week of competition.
Also during the Olympic Games, Imperva mitigated one of the largest DDoS attacks so far in 2021. The large layer 7 DDoS attack targeted services hosting online gambling sites in Asia. The attack lasted for 40 minutes and generated a massive throughput of 1.02 terabytes per second (Tbps) and 155 million packets per second (Mpps). In the days following this event, Imperva also mitigated a second sizable attack which peaked at a bandwidth of 858 Gbps and 225 million PPS. This time the attack was longer, lasting two hours and targeted a specific network prefix (/24 C-Class address) with the attack spanning the entire range of IPs.
“DDoS attacks are really just another form of bot-based attacks that are often associated with ransom demands from cyber criminal groups. The goal is to disrupt a business and hinder or prevent them from transacting online with their customers. Cyber criminal groups will usually demonstrate their DDoS ability by launching a small attack against a target that coincides with a ransom demand. If the target does not comply with the ransom demand, a larger more impactful attack usually follows, often totally disabling an organisation’s online presence,” Hansen said.
Looking ahead to the Brisbane 2032 Summer Olympics
“While it is impossible to predict what the cyber threat landscape will look like in 11 years, what we do know is that it will be a lucrative target for cyber criminals. There will be an array of opportunities for them to exploit – from scalping tickets with bots, to using ATOs to steal personal and financial information, to ransom based attacks,” Hansen said.
“Just think about the recent cyber-attack on Channel Nine that effectively took them off the air. That is a very real scenario and could potentially happen during the Olympics, which means massive loss of revenue through advertising and broadcast rights. Continuous global network infrastructure uplifts providing higher Internet network bandwidth and easier access to it, along with an increase in compute power at the disposal of cyber criminals will only fuel the already prevalent and increasing use of RDoS (ransom based DDoS attacks).”