Sports as Bait: Cybercriminals Play to Win

Written by: Dianne Kristine Lagrimas

Sports is one of the most common fields of interest all over the globe. The exciting nature of sports has kept people captivated for as long as anyone can remember. Regardless of the type of sport, the level of attraction towards sports and sporting events is always considerably high, both for players and sports fans alike.

In these times, the Internet has been a great venue where sports fans and followers can book tickets to games, monitor game scores, read sports news and find experts' opinions, and mingle with other fans.

The interest in sports is very well reflected in the threat landscape as well, with sports themes and events' consistent usage in social engineering ploys in the past few years as proof. And as sports are enjoyed by users through various channels and forms, the types of attacks using sports as a lure vary just as much.

What are typical sports-related threats Trend Micro has seen?

Cybercriminals have used different techniques with sports as bait. Over the years, Trend Micro has seen the following techniques used:


Boxing fans have been lured to get tickets to the recent Manny Pacquiao - Juan Manuel Marquez 2011 bout via phishing scam claiming tickets have been ordered from the online marketplace StubHub. Users who mistakenly click on the link are led to a phishing site that gathers information entered by the users.

In 2008, Trend Micro discovered a fake website supposedly selling tickets to the 2008 Beijing Olympics. This particular website invites users to a series of pages to create an account, enter personal information, and buy tickets to specific events. Trend Micro researchers went on to enter bogus information but still the website accepted, making the website more suspicious. This particular phishing scheme garnered an undisclosed number of victims, and The Los Angeles Times reported that the victims lost a significant amount of money. Trend Micro's discovery led to the shutdown of the said website.

Scams and Spam

Scams abound in sports-related threats. Some of these scams are connected with the notorious 419/Nigerian scam. In May 2010, Trend Micro spotted several spammed messages that used the 2010 FIFA World Cup as bait. In both instances, the users were purportedly winners of a lottery and were asked to send a large sum to a contact prior to claiming the supposed lottery prize.

The Olympics seems to be another favorite bait among scammers, as Trend Micro saw several scams using the 2012 London Olympics and the 2008 Beijing Olympics. These scams ask for users to reply to the message with their personal information in order to claim their prize, similar to the technique employed in scams using the 2010 FIFA World Cup. Users who fall for this trap may end up as money mules for cybercriminal gangs using people.

These scams usually start via a spammed email message, with the sports event as the subject. The messages are a variation of the recipient being declared as a winner of a prize in a lottery drawn by the committee of the particular sports event in the subject. The message is purportedly signed by a committee member. Some of these messages even have PDF attachments to explain the event and the mechanics. All of these scams end in asking personal information.

Additionally, we found a Facebook survey scam leveraging the Manny Pacquiao - Juan Manuel Marquez boxing match mentioned above. Users were enticed with Facebook posts supposedly leading to sites offering live streaming of the match. The sites, in reality, only lead to survey sites, which then ask for the victims' mobile numbers, and then signs them up to services that will lead to unwanted costs.

Website compromises and Exploits

Cybercriminals used sports to spread malware via website compromises as well. Targeting sports fan sites, cybercriminals were able to serve malware to some New York Jets fans, Super Bowl fans, and Arsenal fans. These compromises have led to the download of malware to users who accessed the compromised sites. In these cases, the websites were injected with code to serve malware to those who visited these sites.

In addition to the website compromises, some of these reported cases used exploits in MS Windows components. In Trend Micro's investigation of the New York Jets and Super Bowl fans sites compromises, several Windows exploits were used to download malware on the vulnerable systems. In 2008, Trend Micro found a .DOC file that exploited a zero-day vulnerability in MS Word.

Blackhat SEO Attack

Even the 2010 Winter Olympics was not saved from these threats. Cybercriminals poisoned search results to host two different malware: a backdoor and a FAKEAV variant. Search results that lead to the download of BKDR_INJECT.ANI were fronted by a bogus download of Windows Media Player update. Other poisoned search results that led to the download of a FAKEAV component leads to the installation of the rogue antivirus known as Security Antivirus.

How do these threats affect users?

A majority of the techniques employed by cybercriminals lead to the obtaining of affected users' personal information. In the case of website compromises and exploits, cybercriminals are after the spread of malware. Malware implicated in the compromises, poisoned search results, and exploits that Trend Micro analyzed lead to installation of backdoors to control the system. Some of the malware downloaded onto the affected systems are also capable of stealing information.

Are Trend Micro users protected from these threats?

Yes. Trend Micro provides a multi-layered protection through the Trend Micro™ Smart Protection Network™. The file reputation technology detects all malware components in exploits and website compromises, preventing them from executing their malicious routines. Access to all of the related URLs used by in scams and phishing sites is blocked through the Web reputation technology. The email reputation technology effectively blocks malicious spam from getting to your mailbox.

What can users do to stay protected from these threats?

Cybercriminals will continue to use sports and sporting events to trap users into their money-making schemes. Trend Micro highly encourages users to always verify sources especially for dubious-looking email messages. If offers and prizes look too good to be true, they probably are. Get sports updates online via qualified news organizations. And always keep your anti-malware product patterns updated to ensure that your system is protected from malware.