According to a 2022 report from the National Cyber Security Centre, “70% of sports organizations experience at least one cyberattack per year. This is a considerable increase over general businesses, of which just 32% reported dealing with cyber incidents or harmful cyber activity.” According from a 2023 report, Microsoft warned of growing cyber-threats to sporting events.
One of the driving factors of increased cyber-attacks around major sporting events is due to the increasing digitization of sensitive information and 3rd party technology vendors. According to the Business Research Company, with the global sports market expected to reach $623.6 billion by 2027, cyber criminals are expected to increasingly target this industry. Cyber threats surrounding large-scale events like the Super Bowl are much more complex. Well before fans, performers, media teams and vendors arrive at the stadium on Sunday, there will have been numerous betting transactions made, sponsorship payments delivered, and accounts for fantasy apps created. All these digital touch points offer threat actors the opportunity for exploitation and theft.
Last year DarkOwl analysts examined the Super Bowl’s cyber threat landscape looking at how exposed technology vendors involved in the Super Bowl appear on the darknet. Given the popularity of last year’s blog, we wanted to do an update and examine new trends. This includes exposed credentials and chatter around malware that can allow hackers access to key vendor technologies, such as ticket payment systems.
Super Bowl sweep stakes are very popular with others choosing to bet direct at this time more than any other. Gambling and sports betting apps continue to be highly attractive targets for hackers because of how popular these apps and websites are. It is common to see product listings for gambling application site accounts alongside listings for banks (Wells Fargo, Chase), online payment companies (PayPal, CashApp), streaming platforms (Netflix, Hulu), and really any other companies that have a large global mobile application user base.
These types of services are also typically connected to a payment system, allowing users to make bets and access their transaction with minimal effort. From a threat actor perspective, that makes digital sports gambling apps one of the most likely targets for phishing campaigns and potential account takeover by leveraging digital fraud techniques.
Bet365 is a British based gambling company that has become one of the most popular gambling companies in the United States. DarkOwl analysts discovered various ways Bet365 was exposed on the darknet. The below example from DarkOwl Vision shows a detailed listing for Bet365 accounts containing active balances from various countries on a popular deep web forum primarily known for its corporate leaked databases called Amunet.
This user also includes their Telegram contact info. Telegram accounts are often listed on Deep and Darknet listings because threat actors prefer this chat application to verify a user and complete a transaction.
Telegram is also a popular place for threat actors to sell information belonging to gambling companies. The below Telegram post displays a user selling Bet365 accounts. It is important to note all the additional vendors mentioned on the same product listing from other gambling companies like BetMGM, payment transfer companies like CashApp, as well as large banks like Barclays.
DraftKings is another popular betting app, below is an example a DraftKings account appearing in the naz.API database with a plaintext password. This could be used by threat actors to access the account and steal funds.
What is naz.API? A version of the naz.api leak was made available on BreachForums, on January 15, 2024. According to the post, it is a 35 GB collection of public URLs, usernames, and passwords. The post also notes that it was originally on xkey.info but was taken down for allegedly not being the real naz.api leak. Naz.api is reported to be one of the largest credential stuffing lists released, originally posted on September 9, 2023, by 0x64. According to that post, the database was created by extracting data from stealer logs and contains over 1 billion unique records of saved logins and passwords in users’ browsers. The post also notes that the original naz.api dataset was donated to 0t. rocks.
Infostealer logs are files produced when a trojan is installed on a system that collects information from the infected system. Depending on the infostealer malware, the extracted data can include system information and browser session data (including autofills, credentials, financial information, cookies, browser history, etc.). Some malwares will also capture stored local files and install keylogging on the system to exfiltrate data outside of the browser sessions.
Hackers can also gain access to existing DraftKing accounts using more traditional methods like credential stuffing and exchanging combolists to exploit exposed account login information.
In the image below, a user on the darknet forum, FSS Squad, is allegedly selling DraftKings accounts with actual balances. Listings for stolen DraftKing accounts on Telegram are more explicit, with some offering accounts that come with pre-existing balances, as well as methods to bypass multi-factor authentication.
Methods around stealing DraftKings accounts is a common topic discussed on Telegram fraudster channels like “Big Fat Chat” or “Bazaar Lounge”. The below is an example of a user the sale over 800,000 DraftKings logs on the Deepnet carding site Bazaar Lounge.
In January 2021, the bank Truist signed a multi-year deal to be the official retail bank of the NFL. As a result of this agreement, Truist is now the exclusive financial service provider for all facets and personnel within the NFL, including player contracts. Below are several examples of actors on the darknet and deep web actively targeting Truist Bank.
Truist card numbers, bank account numbers, and other account information is readily available on all major carding forums like WWH Club, AS Carding, Card Villa, as well as across thousands of Telegram fraudster channels. The below example is from WWH Club, where users are discussing how to target Truist Bank. The user in the screenshot says in Russian, “Бро а не знаешь номера у труиста пробиваются? или нет”, which translates to “Bro do you have Truist numbers” … referring to bank account numbers for Truist bank members.
Truist logs and accounts are regularly sold across hundreds – thousands of Telegram fraudster channels. In below screenshot this user is advertising Truist accounts for sale on a deep web carding market, but also claims to sell PayPal, Coinbase, Wells Fargo, Cloned Cards, Bank Logs, and more.
It is likely that the Truist accounts are being targeted due to general financial fraud, however their links to the NFL highlight how access can be used to target other organizations in a supply chain.
As the official ticket payment system of the Super Bowl, DarkOwl analysts found numerous instances of official Super Bowl ticket vendor StubHub data on the darknet.
The above is a listing to a Stubhub accounts being sold on the popular Russian language credit card fraud forum known as WWH Club. In this instance, a threat actor has uploaded 163 Stubhub accounts to sell on the forum.
Below, users on Telegram discuss various options for bypassing multi factor authentication on Stubhub and Ticket Master.
Since the NFL Sunday Ticket and YouTube TV showing NFL games launched, DarkOwl analysts have observed cyber criminals advertise accounts for sale as well as solicit accounts on Telegram and darknet forums.
Telegram fraudsters have targeted YouTube TV more since the merger with NFL Sunday Ticket and RedZone. The below post a Telegram user is selling access to YouTube TV, NFL Sunday Ticket, YouTube premium, HBO Max, and other apps for $150 USD.
Our analysts identified the below result of a Nulled user soliciting access to YouTube TV accounts so they can watch “any NFL game”, an obvious reference to NFL Sunday Ticket. Another responds and asks the prospective buyer to contact them privately on TG. Again, DarkOwl analysts are increasingly seeing vendors on various darknet forums and marketplaces asking buyers to contact them privately on Telegram.
While the dispersed and perhaps seemingly small-scale nature of these vendors’ darknet footprints may make them seem inconsequential, it is important to consider the bigger picture. In the last year threat actors have increasingly targeted technology vendors involved with major sporting events like the Super Bowl, World Cup, and Olympics. DarkOwl analysts agree with the assessments of Microsoft and the National Cyber Security Centre that cyber threat actors will increasingly target major sporting events as these events increasingly rely on technology vendors for infrastructure, payment, advertising, etc, and make a lot of money.
With threat attack vectors becoming ever more sophisticated, large events like the Super Bowl – which bring together humans and technology at such a high magnitude during such a concentrated period – offer a unique opportunity to threat actors. By maintaining visibility into threat actor activity on the darknet, NFL fans, vendors, and corporate decision makers can position themselves in the best way possible to be ahead of and respond to cyber incidents.
Whoever you support we hope you enjoy the game!