A European Summer of Sports is Upon Us – What Does it Mean for Security?

The recent Champions League final in London (congratulations, Real Madrid!) marked the opening shot to a hot European summer of major sporting events. We now approach the highly anticipated UEFA EURO 2024 football tournament in Germany and the Olympic Games in Paris 2024. And as we do, bad actors are warming up on the sidelines as they seek opportunities to strike.

The Imperva Threat Research Team recorded a 59% increase in attacks targeting European sports websites in January and another 66% increase in March, as overall security incidents increased from the previous year (indicated by the red trendline in the chart below). But what types of attacks should businesses and their customers prepare for? This blog will cover everything you need to know to stay ahead of the game.

Incedents Targeting European Websites

The impact goes beyond just sporting websites

A broader look at the ecosystem of organizations involved with these much-looked-forward-to events, which includes travel, airlines, entertainment, and betting websites, reveals a similar picture. 

The following chart visualizes the threat landscape using Imperva’s proprietary Cyber Threat Index (CTI). The CTI provides an easy-to-understand score to track cyber threat levels consistently over time and observe trends. The score is calculated using data gathered from all Imperva sensors globally and is based on several ingredients: network traffic, attack traffic, attack types, and vulnerabilities. 

The chart shows the increase in risk scores across almost all industries as we approach the opening match of the UEFA EURO 2024 tournament, indicating a rise in attack frequency and severity.

Monthly App Security Risk Score

The number of attacks targeting these industries has gradually increased over the past 12 months, with notable peaks of 53% in January and 37% in March. These peaks correlate with increased application attacks globally, as Imperva blocked 130 billion application attacks in January and 107 billion in March.

Attacks targeting Sports Sites

But why do we observe these trends in other industries, too? Let’s take travel, for example, which includes airlines and accommodations for travelers. According to various estimates, such as the French economics paper Les Echos report, around 15.3 million visitors are expected to flock to the capital to enjoy the festivities. Interestingly, only around 22% of these visitors are expected to have tickets in hand. The gambling category includes websites for betting on the results of the games. The entertainment category includes websites for purchasing event tickets and live streaming of the games.

Why are attackers targeting these major sports events?

Gaming and Gambling:

  • High Stakes and Large Transactions: The betting industry handles substantial amounts of money and frequent transactions, making it an attractive target.
  • Sensitive Information: Betting platforms store valuable personal and financial data, which can be stolen and sold on the dark web.
  • Betting Manipulation and Arbitrage: Cybercriminals may use targeted attacks to influence betting odds or outcomes, aiming for financial gain.

Travel, Airlines and Accommodation:

  • Travel Demand: Major events can result in a surge in travel bookings, providing opportunities for cybercriminals to exploit users through fake booking sites and phishing scams.
  • Complex Supply Chains: The travel industry involves multiple stakeholders such as airlines, hotels, and travel agencies, increasing potential vulnerabilities and the attack surface.
  • Personal Data: Travel bookings require extensive personal information, including payment details, which are valuable targets for theft.
  • Booking Fraud: Cybercriminals create fake rental listings or hotel websites to deceive users into paying booking fees for non-existent accommodations.
  • Ransomware Attacks: Hotels and rental services are vulnerable to ransomware attacks, disrupting operations and forcing businesses to pay to restore systems.

Entertainment

  • Ticket Scalping: Bot operators use scalping bots to purchase large quantities of tickets for resale at inflated prices.
  • Ticket Scams: Fraudsters create fake ticket websites and send phishing emails to trick users into buying counterfeit or non-existent tickets.
  • Distributed Denial of Service (DDoS): Attackers launch these attacks to overwhelm ticket sales platforms and disrupt live streaming services. These attacks cause severe service disruptions and result in consumers being unable to access these services.

Bot Attacks

Over the past 12 months, 73% of attacks targeting European travel, sports, entertainment, and gambling sites have involved sophisticated bots seeking to abuse the business logic of applications and APIs. The trendline shows a gradual increase in attacks, with peaks of 53% in January and 37% in March.

Bot Attacks targeting Sports Sites

We can expect to see bots targeting the ecosystem surrounding the UEFA EURO 2024 and Olympic Games Paris 2024 in the following ways:

  • Ticket Scalping: Wherever there’s high demand with a limited supply, bot operators will take advantage of the resell value. This is precisely the case with tickets to these highly popular sporting events. For the 2.7 million tickets available across all Euro 2024 games, UEFA received over 20 million ticket requests. As for the Olympic Games Paris 2024, nearly 8 million tickets were sold thus far. Bots are being deployed to buy up large quantities of tickets when they become available, preventing genuine fans from purchasing tickets at face value. Scalpers then resell these tickets at significantly inflated prices, exploiting the high demand for these events. Recently, our Advanced Bot Protection stopped such a scalping attack, targeting tickets for a highly anticipated football match in the UK. The bot utilized sophisticated evasion techniques, like using a unique character to bypass the usual checks preventing access to specific URLs. However, we have several models in place to detect such malicious behavior. Our Advanced Bot Protection successfully mitigated the attack.
  • Account Takeover (ATO): Bots use techniques like Credential Stuffing and Credential Cracking to hijack user accounts on sports websites. Attackers exploit these accounts to purchase tickets, sell fraudulent merchandise, or steal personal information, causing financial and reputational damage to the account holders and the event organizers.
  • Odds Scraping and Arbitrage: Betting bots scrape odds from multiple sports betting websites to identify discrepancies and place bets that guarantee profits through arbitrage. This activity undermines the bookmakers’ odds and can manipulate the betting market, leading to unfair advantages and significant financial losses for legitimate users.
  • Fraudulent Account Creation: Bots create massive fake accounts to exploit online betting and gaming platforms’ sign-up bonuses and promotional offers. These fraudulent accounts can skew user data, lead to unfair bonus distribution, and result in significant financial losses for companies.
  • Content Scraping and IP Theft: Bots scrape valuable content, such as live scores, statistics, and exclusive articles, from official websites and republish it without authorization. This infringes on intellectual property rights and diverts traffic and revenue from legitimate sources.

Learn more about the impact of bad bots on businesses and consumers in the 2024 Imperva Bad Bot Report

API Attacks

The increased usage and adoption of APIs continue, making them a highly favorable target for bad actors, as they serve as direct pathways to sensitive data and application logic. According to The State of API Security in 2024 Report, API calls comprise 71% of all web traffic.

API Attacks targeting Sports Sites

It comes as no surprise that business logic abuse was the most popular attack vector. Such attacks exploit an application’s or API’s intended functionality and processes rather than its technical vulnerabilities. Because APIs are machine-readable, they are increasingly susceptible to bad bot attacks, and the lack of visibility into API traffic makes detection even more difficult.

Top 10 Attack Vectors

Distributed-Denial-of-Service (DDoS)

Layer 7 DDoS attacks targeting European travel, sports, entertainment, and gambling sites have increased by 89% from last year, with attack intensity peaking at 1.5 million Requests Per Second (RPS).

Layer 7 Attacks

Distributed Denial of Service (DDoS) attacks have the potential to cause significant disruptions during major events such as the UEFA EURO 2024 and Olympic Games Paris 2024. These attacks can target critical infrastructure and services, leading to widespread issues. They may overwhelm ticket sales websites, authentication systems, and official event websites, resulting in lost sales, logistical challenges, and frustrated fans. The coordination and communication of the events can be severely hindered, affecting the efficiency of staff, volunteers, and security personnel.

Digital Skimming (Client-Side Attacks)

The number of transactions related to this summer’s sporting events includes ticket purchases, merchandise sales, accommodation bookings, travel arrangements, online food and beverage sales, betting transactions, media broadcasting rights, and more. 

All of these put them at an extremely high risk of becoming targets of digital skimming attacks, such as Magecart and formjacking. These attacks involve injecting malicious JavaScript into legitimate websites to collect sensitive personal information from online forms, particularly payment pages, directly from the client side (end-user browsers).

JavaScript is a crucial component of modern web applications. If an application is not adequately secured, it may be vulnerable to attacks that load malicious scripts. These attacks can come from server-side compromises, supply chain attacks, or techniques such as stored Cross-Site Scripting (XSS).

Businesses that use third-party vendors for website code are vulnerable to Magecart and digital skimming attacks. Each third-party service represents a potential entry point for attackers, and the more services a website uses, the greater the risk of attack. For instance, even a simple analytics code could be hijacked by malicious actors to insert a Magecart payload. These vulnerabilities enable attackers to target multiple users across various sites simultaneously.

Alarmingly, entertainment and travel websites are amongst the industries with the highest ratio of third-party JavaScript usage. As a result, their exposure to compromises introduced through the software supply chain is heightened, making them highly vulnerable to client-side data breaches.

Highest Ratio Java Scripts

About Imperva Application Security

Imperva is the cybersecurity leader that helps organizations protect critical applications, APIs, and data anywhere, at scale, and with the highest ROI. The Imperva Application Security Platform stops the most advanced attacks with the highest efficacy while minimizing false positives. Its high efficiency enables organizations to quickly onboard, protecting their assets at scale. With the help of the Imperva Threat Research Team and our global intelligence community, we stay ahead of the evolving threat landscape, seamlessly integrating the latest security, privacy, and compliance expertise into our solutions.

The Imperva Application Security Platform combines best-of-breed solutions that bring defense-in-depth to protect your applications wherever they live — in the cloud, on-premises, or a hybrid configuration:

  • On-Prem and Cloud Web Application Firewall (WAF) solutions for blocking the most critical web application security risks. 
  • API Security for continuous protection of all APIs using deep discovery and classification.
  • Advanced Bot Protection for safeguarding websites, mobile applications, and APIs against today’s most sophisticated automated threats. 
  • Client-Side Protection for safeguarding websites against client-side attacks and streamlining regulatory compliance with PCI DSS 4.0.
  • DDoS protection for websites, networks, and DNS to ensure business continuity with guaranteed uptime.
  • Runtime Application Self-Protection (RASP) for security by default against known and zero-day vulnerabilities.
  • Content Delivery Network for securely delivering applications worldwide with superior speed and performance.

Start your Application Security Free Trial today to protect your applications from bad bots.

The post A European Summer of Sports is Upon Us – What Does it Mean for Security? appeared first on Blog.