By Fortinet.
Major sporting events like the Olympics, World Cup, Super Bowl, and Wimbledon attract millions, even billions, of viewers. Argentina’s shootout win over France in the final game of the Qatar 2022 World Cup reached a global audience of 1.5 billion viewers. And the Olympics, starting later this month in Paris, is the biggest of them all—with the 2020 Tokyo Olympics having attracted a worldwide audience of over 3 billion viewers.
These events are also prime opportunities for cybercriminals. Over the past decade, the number of cyberattacks targeting major events has surged, increasing from 212 million documented attacks at the London 2012 Games to a staggering 4.4 billion at the Tokyo 2020 Games. These attacks often have direct financial motives, such as scams, digital fraud, or the acquisition of valuable data from attendees, viewers, and sponsors. In their excitement, eager fans often overlook potential risks when purchasing tickets, arranging accommodations, or buying memorabilia, making them easy targets for cybercriminals.
Others, desperate to view specific events, are enticed by malicious websites offering free access, only to have their devices compromised or personal data stolen. And with the world’s media focused on the event, criminals with a political agenda are looking for a large audience for their message by disrupting a significant site or knocking critical services offline.
Threat Actors Targeting the Paris 2024 Games
According to new FortiGuard Labs analysis based on threat intelligence provided by FortiRecon, this year’s Olympics has been a target for a growing number of cybercriminals for over a year. Using publicly available information and proprietary analysis, this report provides a comprehensive view of planned attacks, such as third-party breaches, infostealers, phishing, and malware, including ransomware.
FortiGuard Labs has observed a significant increase in resources being gathered leading up to the Paris Olympic Games, especially those targeting French-speaking users, French government agencies and businesses, and French infrastructure providers.
Notably, since the second half of 2023, we saw a surge in darknet activity targeting France. This 80% to 90% increase has remained consistent across 2H 2023 and 1H 2024. The prevalence and sophistication of these threats are a testament to the planning and execution of cybercriminals, with the dark web serving as a hub for their activities.
A Growing Market for Stolen Personal Information and Malicious Activity
Documented activities include the growing availability of advanced tools and services designed to accelerate data breaches and gather personally identifiable information (PII), such as full names, dates of birth, government identification numbers, email addresses, phone numbers, residential addresses, and others.
For example, we’re seeing the sale of French databases that include sensitive personal information, including the sale of stolen credentials and compromised VPN connections to enable unauthorized access to private networks. We’re also witnessing a rise in advertisements for phishing kits and exploit tools customized specifically for the Paris Olympics, as well as combo lists (a collection of compromised usernames and passwords used for automated brute-force attacks) comprised of French citizens.
Hacktivist Activity Spiking
Given that Russia and Belarus are not invited to this year’s games, we have also seen a spike in hacktivist activity by pro-Russian groups—like LulzSec, noname057(16), Cyber Army Russia Reborn, Cyber Dragon, and Dragonforce—that specifically call out that they’re targeting the Olympic games. Groups from other countries and regions are also prevalent, including Anonymous Sudan (Sudan), Gamesia Team (Indonesia), Turk Hack Team (Turkey), and Team Anon Force (India).
Beware of Phishing Scams and Fraudulent Activity
Phishing kits: While phishing is perhaps the easiest form of attack, many low-sophistication cybercriminals don’t know how to create or distribute phishing emails. Phishing kits provide novice attackers with a simple user interface that helps them compose a convincing email, add a malicious payload, create a phishing domain, and procure a list of potential victims. The addition of text-generating AI services has also eliminated the spelling, grammatical, and graphical errors that allow recipients to detect an email as malicious.
The FortiGuard Labs team has also documented a significant number of typosquatting domains registered around the Olympics that could be uses in phishing campaigns, including variations on the name (oympics[.]com, olmpics[.]com, olimpics[.]com, and others). These are combined with cloned versions of the official ticket website that take you to a payment method where you don’t get a ticket, and your money is gone. In collaboration with Olympic partners, the French Gendarmerie Nationale has identified 338 fraudulent websites claiming to sell Olympic tickets. According to their data, 51 sites have already been shut down, and 140 have received formal notices from law enforcement.
Similarly, several Olympic Games–themed lottery scams have been identified, many impersonating major brands, including Coca-Cola, Microsoft, Google, the Turkish National Lottery, and the World Bank. The primary targets for these lottery scams are users in the U.S., Japan, Germany, France, Australia, the U.K., and Slovakia.
We have also seen an increase in coding services for creating phishing websites and associated live panels, bulk SMS services to enable mass communication, and phone number spoofing services. These offerings can facilitate phishing attacks, spread misinformation, and disrupt communications by impersonating trusted sources, potentially causing significant operational and security challenges during the event.
Infostealers: Information stealer malware is designed to stealthily infiltrate a victim’s computer or device and harvest sensitive information, such as login credentials, credit card details, and other personal data. We have observed threat actors are deploying various types of stealer malware to infect user systems and obtain unauthorized access. Threat actors and initial access brokers can further leverage this information to execute ransomware attacks, causing substantial harm and financial loss to individuals and organizations.
Our data indicates that Raccoon is currently the most active infostealer in France, accounting for 59% of all detections. Raccoon is an effective and inexpensive Malware-as-a-Service (MaaS) sold on dark web forums. It steals browser autofill passwords, history, cookies, credit cards, usernames, passwords, cryptocurrency wallets, and other sensitive data. It is followed by Lumma (another subscription-based MaaS) at 21% and Vidar at 9%.
Conclusion
In addition to celebrating athleticism and sportsmanship, the Paris Olympics 2024 is a high-stakes target for cyberthreats, drawing attention from cybercriminals, hacktivists, and state-sponsored actors. Cybercriminals are leveraging phishing scams and fraudulent schemes to exploit unsuspecting participants and spectators.
Fake ticketing platforms, fraudulent merchandise, and identity theft tactics threaten financial loss and undermine public trust in event-related transactions. Further, due to France’s political stances and international influence, the Paris Olympics 2024 is also a prime target for politically motivated groups.
We anticipate that hacktivist groups will focus on entities associated with the Paris Olympics to disrupt the event, targeting infrastructure, media channels, and affiliated organizations to disrupt event proceedings, undermine credibility, and amplify their messages on a global stage.
To learn more about FortiRecon and generating reports like this for your organization, visit.