The 2018 FIFA World Cup is kicking off in Russia today, with at least 1 million visitors expected to travel to Moscow alone to take in the world’s biggest sporting event in person.
But the event will feature more than just breathtaking goals and soccer superstars: According to researchers and at least one U.S. counter-intelligence head, travelers could face a bevy of cyber-dangers while in-country.
In a statement to Reuters on Tuesday, William Evanina, an FBI agent and the director of the US National Counterintelligence and Security Center, warned that World Cup travelers had best leave their phones and other gadgets at home to avoid cyber-compromise.
“If you’re planning on taking a mobile phone, laptop, PDA, or other electronic device with you – make no mistake – any data on those devices (especially your personally identifiable information) may be accessed by the Russian government or cybercriminals,” he said.
He added, “Corporate and government officials are most at risk, but don’t assume you’re too insignificant to be targeted. If you can do without the device, don’t take it. If you must take one, take a different device from your usual one and remove the battery when not in use.”
The U.S. government has issued similar warnings for other major sporting events, including this year’s Winter Olympics in South Korea; cybercriminals after all have a knack for being where the people are and are generally poised to take advantage of the situation. But researchers said that it will pay to be extra-vigilant when traveling to the World Cup, thanks to Russia’s prodigious underground cybercrime scene.
“Russia is an unsecure location and travelers need to consider themselves compromised the moment they step off the airplane,” said Sinan Eren, CEO of Fyde Security, in an interview with Threatpost. “Everyone should consider themselves a high-value target for potential cyber-scammers. The fact that you come from the United States, a wealthy country compared to Russia, means that you are a potentially a meaningful return on investment for Russian cybercriminals.”
A Hat Trick of Concerns for Mobile Devices
When it comes to Evanina’s warning, Eren added that bad actors are looking to exploit three points of possible compromise when it comes to the mobile devices of travelers: physical, Wi-Fi and local carrier networks.
“The first is often referred to as an ‘Evil Maid’ attack,” he told Threatpost. “This is when, while going through airport security, or perhaps leaving your laptop in a hotel room, criminals get physical access to your device and gain access to your information.”
More prevalent threats however exist on the Wi-Fi front. Criminals can carry out man-in-the-middle (MiTM) attacks or can set up an official-looking or innocuous-sounding SSID (i.e., “Hotel Wi-Fi”) to trick users into connecting to it – and from there intercept traffic or convince victims to share credentials.
Gary McCloud, vice president of business development at OpenVPN, told us that cybercriminals especially look to compromise hotel Wi-Fi users.
“One of the most obvious threats is related to cybersecurity at hotels,” he told Threatpost. “Most have inherently insecure Wi-Fi because, when these networks were deployed, preventing hacker organizations and criminal access was not in the primary design. Hotels may be running outdated firmware, vulnerable code or have weak administrator passwords, and this increases the risk of a security breach. Hackers typically intercept email, social accounts, bank accounts, etc.”
The third possible point of compromise when it comes to mobile devices comes via local mobile carriers.
“To put it in the most basic terms, when traveling to a foreign country, you are using the local network’s ‘plumbing,’” said Eren. “Countries with strong autocratic regimes in place may have influence or control over cellular service providers and use that access to intercept information or inject a malicious payload.”
All of these compromises can give rise to follow-on attacks as well. “A person checks their credit-card balance online, a criminal sees that web traffic and sends a fake notification from that bank after their session ends,” Eren noted. “To the unsuspecting traveler this would seem perfectly normal.”
Other phishing scams can redirect users to a phony web page where they inadvertently download virus-laden malware.
IBM also cautioned against the “stranded traveler” scam.
“Fans — and their family and friends back home — can also fall victim to [this],” the firm said in a recent fraud alert posting. “In this attack, malicious actors hijack the email account of someone traveling overseas. With this privileged access, they can send targeted messages to friends and family members, claiming to be the traveler in desperate need of funds quickly.”
Kicking Off Mitigation
Using a burner phone might be the best idea when it comes to protection, researchers said.
“Reformatting or re-imaging a device will not protect you from compromises to your device component firmware,” Eren said. “I highly recommend…buying a local phone from a kiosk when they arrive and toss it in the trash before preparing for take-off.”
Travelers could also make use of a VPN that encrypts their data from the device and conceals their device IP.
“If you are going to Russia, use a VPN to connect to the internet,” Kaspersky Lab said in a recent posting on avoiding World Cup-related scams. “In the aftermath of the government’s attempt to block Telegram, many popular sites in Russia are either unavailable or unstable. To avoid the agony of not being able to post a selfie of your grinning face against the backdrop of your team’s goal celebration, get connected to a VPN in advance.”
“Although the law does not directly ban VPNs or anonymizers, it does restrict access to banned websites that would be accessible with a VPN,” explained McCloud.
Images courtesy of FIFA.