CyberWire Daily - Olympic scammers go for gold. [Research Saturday]
Episode Date: July 20, 2024This week, we are joined by Selena Larson, Staff Threat Researcher, Lead Intelligence Analysis and Strategy at Proofpoint, as well as host of the "Only Malware in the Building" podcast, as she is disc...ussing their research on "Scammers Create Fraudulent Olympics Ticketing Websites." Proofpoint recently identified a fraudulent website selling fake tickets to the Paris 2024 Summer Olympics and quickly suspended the domain. This site was among many identified by the French Gendarmerie Nationale and Olympics partners, who have shut down 51 of 338 fraudulent websites, with 140 receiving formal notices from law enforcement. The research can be found here: Security Brief: Scammers Create Fraudulent Olympics Ticketing Websites Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you i was concerned about my data being sold by data brokers so i decided to try delete me i have
to say delete me is a game changer within days of signing up they started removing my personal
information from hundreds of data brokers i finally have peace of mind knowing my data privacy
is protected delete me's team does all the work for you with detailed reports so you know exactly Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
So at Proofpoint, we have something of a tiger team I'm leading
that we want to really focus on upcoming major events
that will likely be used across the threat landscape
for phishing wars, social engineering, things like that. And one of these is the Olympics. We also have the elections, of course, multiple different elections coming up. So we really wanted to generate some hypotheses around how threat actors are going to be using these major events in potential attacks.
That's Selena Larson, staff threat researcher and lead for intelligence analysis and strategy at Proofpoint.
The research we're discussing today is titled Scammers Create Fraudulent Olympics Ticketing Websites.
So we generated some hypotheses and one of the hypotheses was it's likely that scammers are going to try and capitalize on the Olympics by creating fake ticketing websites. We do see that with many major sporting events, other types of events as well. I was literally Googling Paris 24. And I was just like, you know, like Paris 24 tickets.
How, you know, this might have actually just been a personal Google of mine.
I might not even been in researcher mode.
And something came up and I was like, whoa, wait a second.
This looks weird.
And so there were, you know, two sponsored posts.
The first, of course, was the legitimate Paris Olympics hospitality site where you can buy your tickets.
And the second was this kind of suspicious looking website, paris24tickets.com.
Well, I mean, let's dig into that because I think, let me push back a little bit because you say, of course, the official one comes up first.
That's not a given anymore, is it?
You're right.
You know, that's a good point.
I shouldn't say, of course, I shouldn't say, of course.
It was, in this case, the first official site.
Yeah, I mean, SEO poisoning,
search ads that are bought maliciously
or to fraudulent websites.
These are techniques that are used by threat actors.
We often see it with fake software downloads,
for example, right?
Like a threat actor might buy ads
pretending to be a legitimate software
and an unsuspecting user will click on the sponsored post before they scroll down in the feed, right? Like a threat actor might buy ads pretending to be a legitimate software and an unsuspecting user will click on the sponsored post before they scroll down
in the feed, right? And then they might get led to a malicious website. So in this case, it was
immediately suspicious because as I know, there's only one place to legitimately buy
Olympic tickets and that is the official Paris website. So this kind of made my brain go, huh, what's this?
Yeah. And I can see people having a little fuzziness on that because in a world where we have
things like StubHub and these quasi-official marketplaces to sell, resell,
quasi-official marketplaces to sell, resell, buy and sell tickets, right?
It's not always so straightforward.
Yeah, I think Paris Olympics has done a pretty decent job in terms of advertising on all of its official pages.
Like, this is where you buy tickets.
They are really trying to combat fraud and combat people accidentally stumbling into fake secondary marketplaces or potentially fraudulent secondary marketplaces.
The ticket marketplace and ticket resale industry is kind of interesting because
sometimes you might have a scammy site that does end up providing maybe one of a package of five
tickets that you bought. Or
they'll send you something that looks authentic, but you get to the stadium and try and scan your
code and they're like, that doesn't work. It was really interesting because while I was conducting
this research around the Olympics, I saw a number of reports about related websites that were
fraudulent or scammy ticket sites. You have, for example,
Liverpool Football Club on its official website has a list of like, beware of these websites.
There's a lot of work that's being done from official sports organizations, from Paris
Olympics and its partners to be like, communicate that, hey, this is out there.
There's also a lot of conversation and discussion happening on Reddit, for example.
out there. There's also a lot of conversation and discussion happening on Reddit, for example.
That is a lot of conversations about scams in general. But you see sort of like ticket scams as being discussed there as well. So as a user, it's always really good if you're not sure if
something is legitimate, right? You have Ticketmaster and StubHub and we know these
brands. But if something comes across your feed, like this is a little bit weird, I don't recognize
it. Googling it, looking around and seeing other people be
like, oh, I tried to get tickets from this website and it didn't work. That's usually a really good
indicator of avoid that website. Use the official one for your ticket purchases. Yeah. I mean,
it's a really good point. And I think, you know, in today's world where most ticketing is done electronically and so you have some kind of a QR code to get you into the event.
If I'm a scammer and I take all your information and I take your money and I send you a QR code that looks like the real thing that, you know, in reality Rick rolls you or something like that.
You know, like chances are I'm not going to know until I get up to the gate ready to go into the event that
that ticket is no good. Yes. Yes. Unfortunately, that has happened. And on some of the forums that
I was looking at that you can kind of like report scams, report these fraudulent sites.
I thought it was kind of funny that one person who unfortunately got scammed said,
I didn't know it was fake until I tried to get into the stadium. They told me it was fake and thank goodness I didn't
get arrested. So this person was a little bit worried that they might get in trouble
with the law because they were trying to go to this game and didn't realize.
That escalated quickly.
Yes, exactly.
Huh. Well, I mean, let's dig into this specific one here.
So, I mean, suppose I'm somebody who I'm looking for tickets to the Olympics.
I see this ad.
Seems like a good thing to me.
I click on it.
What comes up in my browser?
So, they did a really nice job of looking like a legitimate ticket site.
At the top of the screen, it says, we're a secondary marketplace for sports and live events tickets.
site. At the top of the screen, it says we're a secondary marketplace for sports and live events tickets. They have a bunch of graphics that are associated with each other, potential sports that
you could buy things from. There's apparently a buyer login and apparently a seller login.
And when you click on one of the sports, it'll pop up how many do you want, what type of tickets,
the price range. So they do a decent job in terms of the homepage when you click on the tickets
page. But if you click around a little bit more on the website, that's where things get a little
bit more suspect. So we didn't include this in the blog, but visiting the about page doesn't
have very much information. There are a few typos on the about page. The contact information is a
WhatsApp phone number. And that's a red flag.
Yeah, yeah.
So while, you know,
from the outside, if you're window shopping,
it looks pretty good.
But once you kind of go into the store
and open the doors and look around,
you can kind of see some of,
you know, characteristic red flags
for things that might suggest
it's a scam.
The misspellings,
the sort of, you know,
once you go further
than just individual,
the landing page and the individual sports, you know, once you go further than just individual, the landing page and
the individual sports, you can kind of see, oh, this looks a little suspicious. Because of course,
you know, with legitimate websites, they'll have customer service, they'll have, you know,
a contact that isn't just a WhatsApp account or a random email address. And there will be more
ways for you to, you know, engage with the platform. But yeah, I mean, they do typically,
these types of websites,
try and make it look legitimate,
try and sort of potentially copy
something like a StubHub
that people would be used to visiting
to buy their tickets.
And so they will try and make it
look as believable as they can.
We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
Is there anything suspect about the domain itself?
I mean, were you...
It's paris24tickets.com in this case. I mean,
that doesn't throw up any huge red flags to me, but did you all look around to see if this was
popping up in other places? So we didn't see it beyond what we suspect is distributed via
search engines. So when someone Googles it, it might pop up as an ad or it might pop up as high up in SEO as the search results. But it was interesting because it was registered fairly
recently. So if you look at the history of the domain itself, it was registered back in March
of 2024. So of course, something that would be a more legitimate ticketing site would have
a lot of longevity. Of course, the Paris Olympics have been planned for years.
So that's a little bit suspicious. Also, when we were looking at when the site was live
and available to be perused, there was overlap with some infrastructure of another suspected
ticketing website. And this ticketing website, we did Google around a little bit and it had
many, many, many fraudulent reports. We saw hundreds of complaints on various
scam reporting websites claiming users never received tickets they paid for. They only received
one of a bundle of tickets or, like I said, they received these fake tickets. And so seeing some
of that overlap with the Paris tickets suggested that this is probably not an authentic website.
This might be something that these, you know, in scam reports and from various sporting organizations saying,
look out for these domains. These aren't authentic. The only way to buy tickets is
through our official website. So it's definitely something to watch out for.
And it's really also worth noting too, just before we published our research,
the French Gendarmerie Nationale, in their efforts in collaboration with
Olympics partners, they actually published details
that they identified over 300 fraudulent
Olympics ticketing websites.
They were able to shut down
a few dozen of those, and
others had received sort of formal notifications
from law enforcement. So
law enforcement, the Olympics folks,
people are looking into this. And so it was great
to see that that was published in various French websites about how a lot of these efforts are focused on fraudulent ticketing.
They're really looking out for the Olympics ticket holders.
They want to make this a really great experience.
And for those of you that are interested in buying tickets, beware of these sites.
And there is, of course, the official Olympics website to purchase those.
Yeah.
Part of what's frustrating here is that it's not like you have to go digging into the back alleys of the Internet to find this website. when we started here, this is the second thing that pops up
if you do a very broad, innocent Google search
for the Paris Olympics.
I mean, to me, just that is kind of maddening itself.
I think we're in an interesting space right now
where threat actors are using a lot of different methods
to distribute fraudulent content.
Of course, malicious ads are
one thing, SEO poisoning. You have things like fake updates, so compromising legitimate websites
with malicious web injects to deliver malware. So there's a lot of things that threat actors are
using that appear benign or appear legitimate,
but are actually malicious.
And so unfortunately,
a reality of life as a digital native is that you have to be really mindful
of what you're clicking on.
And if you are looking for something very specific,
make sure that you're only visiting trusted websites.
Of course, a search of Paris 2024 or whatever,
unfortunately showed something
that wasn't a legitimate website.
But if you scroll past the sponsored ads,
then you really land on,
okay, this is the Paralympic and Olympic 2024 games in Paris
and have all the information you need.
But yeah, it's really important
to be mindful of a lot of this.
And unfortunately,
we can fall into some of these traps very easily if we're not really paying attention, if we're just kind of clicking on things, minding our own business, going about our day to day.
It's very similar to what we see with social engineering and emails, trying to make something look believable so you'll engage with the content and send money or data or something that you shouldn't to a threat actor.
It's very interesting.
And I honestly was kind of surprised too.
I was like, this is weird.
But I guess this is just what it is.
And especially around major events like the Olympics, you're going to see fraud occur.
Yeah.
How do you rate the sophistication of this particular group compared to others that you've seen?
Well, in this particular case, we didn't dive into the who behind it.
But in terms of the setup of the website, the association with other likely fraudulent or suspicious websites, they do put some effort into making this look legitimate.
websites, they do put some effort into making this look legitimate. However, if you do kind of push beyond the window dressing, it doesn't have the ring of authenticity that you might see from
some very, very well-designed websites. You have, you know, like I mentioned, a lot of the
misspellings, the grammatical errors, the WhatsApp contact, things that, you know, they appear to
have copy pasted some language from potentially other fake ticketing websites on their website.
So I think, you know, it wasn't really that sophisticated.
But it is notable that, you know, they are appearing or were at this point appearing in advertisements.
But I think, you know, with vigilance and hopefully work, you know, thought researchers, the folks working on the Olympics, law enforcement can do due diligence
and get some of these things taken down.
Yeah.
What are your recommendations then?
I mean, for folks to best protect themselves
against this, what should they do?
So it's so important
that if you are buying tickets to the Olympics,
go to the legitimate website
that is there for that purpose.
They have a note on there that there's only the Paris Olympics website is available for people interested in purchasing
tickets. But in general, if you're looking for something like Taylor Swift or Coldplay or some
very popular artists or sporting event or something that tends to be a very high interest, high value type of event,
you really want to make sure that you are purchasing tickets through the legitimate
websites. And a lot of times that is going to be through a reseller like Ticketmaster or StubHub.
But if you go to the website of the organizations that you're interested in watching, like I
mentioned, Liverpool FC or any other sort of sporting franchise,
navigate to their website and see where do they recommend I buy tickets.
Because oftentimes Googling around things,
you might fall into some traps.
Oftentimes you'll see too good to be true,
so to speak, offerings for a lot of these things.
And typically, if it sounds too good to be true,
it really is.
So really be mindful, go to the authoritative sources.
Make sure that if you see something that's a little bit sketchy, Google around.
See if other people are reporting on the domain being sketchy or scammy.
And chances are you'll have some good luck staying safe if you sort of follow these best practices. And that's Research Saturday brought to you by N2K CyberWire.
Our thanks to Selina Larson from Proofpoint for joining us.
The research is titled Scammers Create Fraudulent Olympics Ticketing Websites.
We'll have a link in the show notes.
gamers create fraudulent Olympics ticketing websites.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io
We'd love to know what you think of this podcast.
Your feedback ensures we
deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please
share a rating and review in your podcast
app. Please also fill out the survey
in the show notes or send an email
to cyberwire at
n2k.com. We're privileged that N2K Cyber Wire is part of the daily routine of the most influential
leaders and operators in the public and private sector, from the Fortune 500 to many of the
world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to
optimize your biggest investment, your people. We make you smarter about your teams while making your team smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening. We'll see you back here next time.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Pure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.