Scam, just in…
FIFA (Fédération Internationale de Football Association) has had a lot of bad press over recent years. As well as internal problems, such as the 2015 corruption case, FIFA is now also a victim of phishing scams. This week, FIFA disclosed that they have had a mega-data breach of documents, some of them containing highly confidential information.
The actual data breach seems to have happened back in March, but as with a lot of these high-profile cybersecurity incidents, the leak went public well after the fact – long after in some cases. Delays in revealing leaks are common. For example, Uber took over a year to admit that 57 million of the data records under their control had been exposed. New regulations such as the GDPR will levy heavy fines on organisations who delay data breach reports.
Phishers 1, FIFA 0
But back to FIFA. The attack that occurred in March, was the second such breach and has been attributed to a spear phishing attack. Spear phishing is the targeted cousin of the more common phishing email we are all used to seeing in our inboxes. Spear phishing is a popular method used for stealing login credentials. Studies show that 54 percent of organisations have been victims of this type of scam. In the case of FIFA, the details of the phishing attack are sketchy. However, the organisation has said that it is likely that the victim clicked a malicious link in an email taking them to a spoof site. Once on the site, they entered login credentials which were subsequently harvested. This is spear phishing 101.
In an interview with the BBC, FIFA said that since the attack was identified in March, they have put measures in place to prevent another attack. Measures to prevent spear phishing should include “security awareness training” and “behavioural monitoring”.
The Final Score
The end result of the FIFA phish was a mega-haul of exposed documents. The phish has been described as the “largest leak in the history of sports”. It has damaged the reputation of FIFA and has been personally damaging for Gianni Infantino the president of FIFA. The information includes a list of footballers who have failed drug tests as well as tax evasion by members of the organisation. The cybercriminals who perpetrated the scam, passed the documents over to the football equivalent of Wikileaks, “Football leaks” who then turned them over to the wider press. FIFA is just one of many organisations who are victims of phishing scams. Hopefully, they will put the right measures in place to stop any future football leaks.