Dark Web Shows Cybercriminals Ready for Olympics. Are You?

Major sporting events like the World Cup, Super Bowl, and Wimbledon attract millions, even billions, of viewers. Argentina’s shootout win over France in the final game of the Qatar 2022 World Cup reached a global audience of 1.5 billion viewers. And the Olympics, starting later this month in Paris, is the biggest of them all—with the 2020 Tokyo Olympics having attracted a worldwide audience of over 3 billion viewers.

These events are also prime opportunities for cybercriminals. Over the past decade, the number of cyberattacks targeting major events has surged, increasing from 212 million documented attacks at the London 2012 Games to a staggering 4.4 billion at the Tokyo 2020 Games. These attacks often have direct financial motives, such as scams, digital fraud, or the acquisition of valuable data from attendees, viewers, and sponsors. In their excitement, eager fans often overlook potential risks when purchasing tickets, arranging accommodations, or buying memorabilia, making them easy targets for cybercriminals.

Others, desperate to view specific events, are enticed by malicious websites offering free access, only to have their devices compromised or personal data stolen. And with the world’s media focused on the event, criminals with a political agenda are looking for a large audience for their message by disrupting a significant site or knocking critical services offline.

Threat Actors Targeting the Paris 2024 Games
According to a new FortiGuard Labs analysis based on threat intelligence provided by FortiRecon, this year’s Olympics have been a target for a growing number of cybercriminals for over a year. Using publicly available information and proprietary analysis, this report provides a comprehensive view of planned attacks, such as third-party breaches, infostealers, phishing, and malware, including ransomware.

FortiGuard Labs has observed a significant increase in resources being gathered for the Paris Olympic Games, especially those targeting French-speaking users, French government agencies and businesses, and French infrastructure providers. Beginning the second half of 2023, we saw a surge in darknet activity targeting France. This 80% to 90% increase has remained consistent across 2H 2023 and 1H 2024. The prevalence and sophistication of these threats are a testament to cybercriminals’ planning and execution, with the dark web serving as a hub for their activities.

Hitting Critical Mass on Stolen Personally Identifiable Information
Documented activities include the growing availability of advanced tools and services designed to accelerate data breaches and gather personally identifiable information (PII), the sale of stolen credentials and compromised VPN connections to enable unauthorized access to private networks, and advertisements for phishing kits and exploit tools customized for the Paris Olympics. It also includes the sale of French databases that contain sensitive personal information, such as full names, dates of birth, government identification numbers, email addresses, phone numbers, residential addresses, and other PII, as well as combo lists (a collection of compromised usernames and passwords used for automated brute-force attacks) composed of French citizens.

Hacktivist Activity Spiking
Given that Russia and Belarus are not invited to this year’s games, we have also seen a spike in hacktivist activity by pro-Russian groups—like LulzSec, noname057(16), Cyber Army Russia Reborn, Cyber Dragon, and Dragonforce—that specifically call out that they’re targeting the Olympic games. Groups from other countries and regions are also prevalent, including Anonymous Sudan (Sudan), Gamesia Team (Indonesia), Turk Hack Team (Turkey), and Team Anon Force (India).

Phishing Kits and Infostealers Abound

Phishing kits: While phishing is perhaps the easiest form of attack, many low-sophistication cybercriminals don’t know how to create or distribute phishing emails. Phishing kits provide novice attackers with a simple user interface that helps them compose a convincing email, add a malicious payload, create a phishing domain, and procure a list of potential victims. The addition of text-generating AI services has also eliminated the spelling, grammatical, and graphical errors that allow recipients to detect an email as malicious.

The FortiGuard Labs team has also documented a significant number of typosquatting domains registered around the Olympics, including variations on the name (oympics[.]com, olmpics[.]com, olimpics[.]com, and others). These are combined with cloned versions of the official ticket website that take you to a payment method where you don’t get a ticket, and your money is gone. In collaboration with Olympic partners, the French Gendarmerie Nationale has identified 338 fraudulent websites claiming to sell Olympic tickets. According to their data, 51 sites have been shut down, and 140 have received formal notices from law enforcement.

Similarly, several Olympic Games–themed lottery scams have been identified, with many impersonating major brands such as Coca-Cola, Microsoft, Google, the Turkish National Lottery, and the World Bank. The primary targets for these lottery scams are users in the U.S., Japan, Germany, France, Australia, the U.K., and Slovakia.

We have also seen an increase in coding services for creating phishing websites and associated live panels, bulk SMS services to enable mass communication, and phone number spoofing services. These offerings can facilitate phishing attacks, spread misinformation, and disrupt communications by impersonating trusted sources, potentially causing significant operational and security challenges during the event.

Infostealers: Information stealer malware is designed to stealthily infiltrate a victim’s computer or device and harvest sensitive information, such as login credentials, credit card details, and other personal data. We have also observed that threat actors are deploying various types of stealer malware to infect user systems and obtain unauthorized access. Threat actors and initial access brokers can further leverage this information to execute ransomware attacks, causing substantial harm and financial loss to individuals and organizations.

Our data indicates that Raccoon is currently the most active infostealer in France, accounting for 59% of all detections. Raccoon is an effective and inexpensive Malware-as-a-Service (MaaS) sold on dark web forums. It steals browser autofill passwords, history, cookies, credit cards, usernames, passwords, cryptocurrency wallets, and other sensitive data. It is followed by Lumma (another subscription-based MaaS) at 21% and Vidar at 9%.

Conclusion
In addition to celebrating athleticism and sportsmanship, the Paris Olympics 2024 is a high-stakes cyberthreat target, drawing attention from cybercriminals, hacktivists, and state-sponsored actors. Cybercriminals are leveraging phishing scams and fraudulent schemes to exploit unsuspecting participants and spectators.

Fake ticketing platforms, fraudulent merchandise, and identity theft tactics threaten financial loss and undermine public trust in event-related transactions. Further, due to France’s political stances and international influence, the Paris Olympics 2024 is also a prime target for politically motivated groups.

We anticipate that hacktivist groups will focus on entities associated with the Paris Olympics to disrupt the event, targeting infrastructure, media channels, and affiliated organizations to disrupt event proceedings, undermine credibility, and amplify their messages on a global stage.

Advice for Travelers
Organizations and individuals attending the Olympic Games need to be aware of heightened travel-related cyberthreats. These include the increased likelihood of public Wi-Fi interception and fraudulent activities linked to Olympics-related events, including malicious websites and phishing scams. We also anticipate increased targeted attacks against VIPs, including government officials, senior executives, and key decision-makers, and additional precautions should be taken.

FortiGuard Labs strongly recommends installing endpoint protection or EDR on all devices, taking extra care when connecting to public wireless networks, and using SASE services to encrypt traffic.

  • Recommendations and Mitigation Strategies
    Major events like the Olympics are good reminders that we all need to remain vigilant against cyberthreats. FortiGuard Labs recommends the following best security practices to safeguard yourself and your organization against cyberattacks.
  • Employee and user training and awareness: Conduct regular training sessions to highlight the risks of Olympics-related social engineering lures in the runup to and during the Games. Training should focus on recognizing deceptive emails and fake websites and emphasize the importance of promptly reporting suspicious activities.
  • Public awareness campaigns: Launch comprehensive public awareness campaigns to educate attendees and participants about cybersecurity threats. Guide identifying phishing attempts, avoiding suspicious links, and reporting potential threats to designated authorities.
  • Protect sensitive data: Use security orchestration, automation, and response tools to detect and respond promptly to unusual activities. Maintain encrypted backups of critical data stored securely offline to mitigate the impact of ransomware attacks.
  • Monitor the external attack surface: Continuously monitor and assess your IT infrastructure’s external attack surface to identify vulnerabilities and potential risks. Implement measures to secure remote desktop protocol access and prevent exploitation of web server misconfigurations. Visit the Fortinet DRP page for information on how FortiRecon can help.
  • Enforce multi-factor authentication and strong password policies: Implement multi-factor authentication across all systems and enforce a robust password policy. Monitor darknet channels for compromised credentials to proactively protect organizational portals.
  • User endpoint protection: Deploy antivirus and antimalware software on all devices to detect and mitigate phishing attempts and malware infections. Regularly update software to safeguard against known and unknown vulnerabilities.
  • Implement patch management: Maintain up-to-date software and operating systems by promptly applying security patches. Prioritize critical vulnerabilities that could lead to remote code execution or denial-of-service attacks.
  • DDoS protection: Safeguard infrastructure with multi-layered DDoS prevention solutions, including firewalls, VPNs, and anti-spam filters. Monitor network traffic for anomalies that may indicate DDoS attacks and take preemptive actions.
  • Prevent ransomware attacks: Implement proactive measures such as regular software updates, secure offline backups, and user education to prevent ransomware incidents. Utilize threat intelligence to monitor darknet activities for potential threats and data leaks.
  • Website defacement prevention: Deploy web application firewalls to filter and block malicious traffic, protecting against website defacement and unauthorized access attempts.
  • Participate in threat hunting and response: Conduct robust threat-hunting activities based on compromised account information. Isolate infected systems promptly and perform system reimaging as necessary to mitigate threats.
  • Leverage cyberthreat intelligence (CTI): Utilize CTI to gather real-time data on emerging cyberthreats and potential risks. Monitor darknet chatter for early indicators of cyberattacks and data leaks to enable proactive incident response.