As the Olympic flame draws ever closer to Rio, cyber criminals are making their final preparations for the 2016 Summer Games. And they hope to score big by hacking people’s digital devices to steal account numbers, passwords and PINS, and possibly intercept email containing sensitive information, experts say.
“These are highly-organized criminal gangs who are building their teams, developing more sophisticated attacks, so that when new targets come into the region, they’re ready,” said Caleb Barlow, vice president of IBM Security. “Any time you have a large group of people involved in some type of event where they will want to click on things, try new things, download new apps and have new experiences, that’s a major opportunity for the bad guys.”
Brazil is one of the top players in global cybercrime. In fact, it’s number 10 on the list of countries that originate the most malicious activity, according to Symantec’s 2016 Internet Security Threat Report.
Kevin Haley, director of product management for Symantec Security Response, told NBC News that Brazilian cyber thieves tend to focus on banking Trojans, malicious software designed to steal user names and passwords to financial accounts.
“Your risk on a computer is greater than when you’re at home, because you’re don’t have all the security protection, like that firewall in your router,” Haley said. “If you’re going to the Games, you need to take the steps necessary to protect your devices when you go online.”
The dangers of using Wi-Fi in Rio
There are plenty of Wi-Fi hotspots in Rio, but you should not assume any of them is secure. Kaspersky Lab recently reported that a quarter of all Wi-Fi networks around the Olympic venues in Rio are not secure.
Researchers drove around the city to assess the security of the networks visitors will encounter, including those at Olympic Park and three major stadiums. They mapped more than 4,500 unique access points near the game venues.
Eighteen percent of the Wi-Fi access points that a tourist might use were “open” — meaning data sent and received using them is not encrypted. Seven percent used an obsolete security protocol (WPA Personal) which is easily compromised to steal personal and financial information.
Dmitry Bestuzhev, head of Kaspersky Lab’s global research and analysis team in Latin America, told NBC News he “found it concerning” that people could connect to a compromised network believing it to be secure.
“You would never know if that Wi-Fi connection is secure or insecure. It looks like a normal network,” Bestuzhev said. “All of the information sent on these compromised networks can be easily intercepted by a malicious person sitting on the same network, maybe just drinking a cup of coffee or sitting nearby in a parked car. That person could read all of your sensitive information, such as user names, passwords, messages and so on.”
Kaspersky advises anyone attending the Olympics to use a VPN (Virtual Private Network) — technology that encrypts the data going to and from your device — even if they believe the Wi-Fi connection is secure.
“Using a VPN while in Brazil is a must,” Bestuzhev said. “Even if someone is able to compromise the Wi-Fi network, they won’t be able to access your data without knowing the key to decrypt the message.”
You don’t have to go to Rio to be targeted
Cyber crooks around the world will also try to cash in on the excitement of the Olympics by targeting people who aren't even at the Games. All they need to do is launch a successful scam that takes advantage of the Olympics in a catchy email or social media post.
To get their malicious software onto as many devices as possible, they’ll create fake apps, websites, offers and deals. And they know how to optimize search engine rankings to get people to visit their fake sites.
“I think we’re going to see a huge uptick in all kinds of Olympic-related scams delivered to your mobile device and desktop via email. It’s a no brainer for the bad guys,” said Neal O’Farrell, executive director of The Identity Theft Council.
Cyber crooks are very good at getting people to do things we all know we should not do: click on links, open attachments and download stuff from unknown sources. Their messages pique our interest and encourage us to respond without thinking about the consequences.
“It’s going to be something titillating, something they know you’re going to be interested in and there’s going to be a sense of urgency for you to find out right away,” O’Farrell said. “So you put your suspicion on hold for just a second and that’s when they get you.”
Scammers have been sending out emails in one scam related to the Rio Olympics for more than a year now. Most of this spam claims the recipient has won free tickets in a lottery organized by the International Olympic Committee and the Brazilian government, according to a recent scam alert from Kaspersky Lab. The bogus message tries to convince victims to reply and provide personal information to receive their prize.
The most dangerous threat so far comes from fake ticketing services for the Rio Games. These fraudulent sites are designed to steal credit card and bank account information. Kaspersky says the malicious ticketing web pages they’ve discovered have been very well-made.
“Fraudsters often buy the cheapest and simplest SSL certificates, which allow secure connections between a web server and a browser and provide ‘https’ at the beginning of the address bar,” the Kaspersky scam alert bulletin advises. “This makes it harder for users to distinguish fake pages from the official Olympic ticketing services.”
In other words: Seeing https and the lock symbol on the address bar indicates the connection is secure, but it might be a secure connection to a scammer.
There’s a simple way to reduce your risk of getting burned by this sort of fraud: Never buy anything related to the Olympics at online stores that advertise via spam.
Resist the urge to respond to the unknown — no matter how appealing.
“Be skeptical of anything you see that comes through an email or social media message that wants you to click on a link or watch a video,” warned Kevin Haley with Symantec Security Response. “It’s more than likely trying to get you to go to a malicious website or to download malware.”
Anyone travelling to the Rio Games runs the risk of being hacked and needs to take appropriate precautions.
A new public service campaign from the U.S. National Counterintelligence and Security Center explains what to do in a video: Know the Risk; Raise Your Shield. Cut down on the number of devices you bring along, consider a disposable phone, and perhaps set up a throw-away email account that you'll only use when you're overseas, the campaign advises. Those steps can go a long way toward keeping your personal and work info stored on your regular devices out of the clutches of hackers.
Make sure you have a password on your mobile phone. It’s estimated that about a third of all Americans don’t password-protect their mobile phones. If your phone is lost or stolen without a password, a thief has access to everything on it.
Last week, Norton released a new mobile app that’s designed to shield personal information from hackers snooping on unsecured wireless networks. The Norton WiFi Privacy app ($29.99 yearly subscription) is available for Android and iOS devices.