You're listening to the Cyberwire Network, powered by N2K. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. In Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. Hello, everyone, and welcome to the Cyberwire's Research Saturday. I'm Dave Bitner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. So, at Proofpoint, we have something of a tiger team I'm leading that we want to really focus on upcoming major events that will likely be used across the threat landscape for fishing wars, social engineering, things like that, and one of these is the Olympics. We also have the elections, of course, multiple different elections coming up, so we really wanted to generate some hypotheses around how threat actors are going to be using these major events in potential attacks. That's Selena Larson, Staff Threat Researcher and Lead for Intelligence Analysis and Strategy at Proofpoint. The research we're discussing today is titled "Scammers create fraudulent Olympics ticketing websites." So we generated some hypotheses, and one of the hypotheses was it's likely that scammers are going to try and capitalize on the Olympics by creating fake ticketing websites. We do see that with many major sporting events, other types of events as well, and yeah, so I was honestly the particular one that I stumbled across. I was literally Googling Paris 24, and I was just like, Paris 24 tickets. This might have actually just been a personal Google of mine. I might not even been in researcher mode, and something came up, and I was like, "Whoa, wait a second. This looks weird." So there were two sponsor posts, the first, of course, was the legitimate Paris Olympics hospitality site where you can buy your tickets, and the second was this kind of suspicious looking website, Paris24tickets.com. Well, I mean, let's stick into that because I think, let me push back a little bit because you say, of course, the official one comes up first. That's not a given anymore, is it? Yeah, right. You know, that's a good point. I shouldn't say, of course, I shouldn't say, of course. It was, in this case, the first official site. Yeah, I mean, SEO poisoning, search ads that are bought maliciously or to fraudulent websites. These are techniques that are used by threat actors. We often see it with fake software downloads, for example, like a threat actor might buy ads pertain to be a legitimate software, and an unsuspecting user will click on the sponsored post before they scroll down in the feed, right? And then they might get led to a malicious website. So in this case, it was immediately suspicious because as I know, there's only one place to legitimately buy Olympic tickets, and that is the official Paris website. So this kind of made my brain go, huh, what's this? Yeah, and I can see people having a little fuzziness on that because in a world where we have things like StubHub and these quasi-official marketplaces to buy and sell tickets, right? It's not always so straightforward. Yeah. I think Paris Olympics has done a pretty decent job in terms of advertising on all of its official pages, like this is where you buy tickets. They are really trying to combat fraud and combat people accidentally stumbling into fake secondary marketplaces or potentially fraudulent secondary marketplaces. The ticket marketplace and ticket resale industry is kind of interesting because sometimes you might have a scammy site that does end up providing maybe one of a package of fight tickets that you bought, or they'll send you something that looks authentic, but you get to the stadium and try and scan your code and they're like, that doesn't work. It was really interesting because while I was conducting this research around the Olympics, I saw a number of reports about related websites that were fraudulent or scammy ticket sites. You have, for example, Liverpool Football Club on its official website has a list of like, beware of these websites. There's a lot of work that's being done from official sports organizations, from Paris and the Olympics and its partners to be like, communicate that, hey, this is out there. There's also a lot of conversation discussion happening on Reddit, for example. That is a lot of conversations about scams in general, but you see sort of like ticket scams as being discussed there as well. So as a user, it's always really good. If you're not sure if something is legitimate, right, you have a ticket master and step hub and we know these brands, but if something comes across your feed like, this is a little bit weird, I don't recognize it, googling it, looking around and seeing other people be like, oh, I try to get tickets from this website and it didn't work. That's usually a really good indicator of avoid that website. Use the official one for your ticket purchases. Yeah, I mean, it's a really good point and I think in today's world where most ticketing is done electronically and so you have some kind of a QR code to get you into the event. If I'm a scammer and I take all your information and I take your money and I send you a QR code that looks like the real thing that in reality, Rick rolls you or something like that, chances are I'm not going to know until I get up to the gate, ready to go into the event that that ticket is no good. Yes, yes, unfortunately, that has happened and on some of the forums that I was looking at that you can kind of report scams, report these fraudulent sites. I thought it was kind of funny that one person who unfortunately got scammed said I didn't know was fake. It's how I tried to get into the stadium, they told me it was fake and thank goodness I didn't get arrested. So this person was a little bit worried that they might get in trouble with the law because they were trying to go to this game and didn't realize. That escalated quickly, yes, exactly. Huh, well, I mean, let's dig into this specific one here. So suppose I'm somebody who I'm looking for tickets to the Olympics, I see this ad, seems like a good thing to me, I click on it, what comes up in my browser? So they did a really nice job of looking like a legitimate ticket site at the top of the screen says, we're a secondary marketplace for sports and live events tickets. They have a bunch of graphics that are associated with each other potential sports that you can buy things from. There's apparently a buyer login and apparently a seller login and when you click on one of the sports, it'll pop up how many do you want, but type of tickets, the price range. So they do a decent job in terms of the homepage when you click on the tickets page. But if you click around a little bit more on the website, that's where things get a little bit more suspect. So we didn't include this in the blog, but visiting the about page doesn't have very much information. There are a few typos on the about page. The contact information is a WhatsApp phone number and the red flag. Yeah. So while from the outside, if you're window shopping, it looks pretty good. But once you kind of go into the store and open the doors and look around, you can kind of see some of characteristic red flags for things that might suggest it's a scam. The misspellings, once you go further than just the landing page and the individual sports, you can kind of see, oh, this looks a little suspicious because of course, with legitimate websites, they'll have customer service, they'll have a contact that isn't just a WhatsApp account or a random email address, and there will be more ways for you to engage with the platform. But yeah, I mean, they do typically these types of websites try and make it look legitimate, try and potentially copy something like a stub hub that people would be used to visiting to buy their tickets. So they, you know, we'll just try and make it look as believable as they can. We'll be right back. And now a word from our sponsor, no before. Where would infosec professionals be without users making security mistakes, working less than 60 hours per week, maybe actually having a weekend every so often, while user behavior can be a challenge, they can also be an infosec professional's greatest asset, once properly equipped. Users want to do the right thing, but often lack the knowledge to do so. That's one of the reasons no before developed security coach, a real-time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. Supporting security tools will likely block a user from visiting a high-risk website, for example, but the user might not understand why. Security coach analyzes these alerts and provides users with relevant security tips via email or Slack, coaching them on why the action they just took was risky. Help users learn from their mistakes and strengthen your organization's security culture with Security Coach. And more at nobefore.com/securitycoach, that's nobefore.com/securitycoach. And we thank no before for sponsoring our show. Is there anything suspect about the domain itself? I mean, where you, it's Paris24tickets.com, in this case, I mean, that doesn't throw up any huge red flags to me, but did you all look around to see if this was popping up in other places? So we didn't see it beyond what we suspect is distributed via search engines. So when someone Googles it, it might pop up as an ad or it might pop up as, you know, high up in SEO as the search results. But it was interesting because it was registered fairly recently. So if you look at sort of the history of the domain itself, it was registered back in March of 2024. So of course, you know, something that would be a more legitimate ticketing site would have a lot of longevity. Of course, the Paris Olympics have been planned for years. So that's a little bit suspicious. Also when we were looking at when the site was live and available to be produced, there was overlap with some infrastructure of another suspected ticketing website. This ticketing website, we did Google around a little bit and it had many, many, many fraudulent reports. It's a, we saw hundreds of complaints on various scam reporting websites claiming users never received tickets they paid for. They only received one of a bundle of tickets or, you know, they, like I said, they received these fake tickets. And so seeing some of that overlap with the Paris tickets suggested that this is probably not an authentic website, this might be something that these, you know, the threat actors, whoever's behind the website might be running similar ticketing or sporting events types of scams. And again, while we were investigating this, we did see other domains unrelated to this one, but other ones that appear to be legitimate ticket sites, but showed up in scam reports and from various sporting organizations saying, look out for these domains, you know, these aren't authentic. The only way to buy tickets is through our official website. So it's definitely something to watch out for. And it's really also worth noting too, just before we publish our research, the French Jean-Michel Marine Nationale, in their efforts in collaboration with Olympics partners, they actually published details that they identified over 300 fraudulent Olympics ticketing websites. They were able to shut down a few dozen of those and others had received sort of formal notifications from law enforcement. So law enforcement, the Olympics folks, people are looking into this. And so it was great to see that that was published in various French websites about, you know, how a lot of these efforts are focused on fraudulent ticketing. They're really looking out for the Olympics ticket holders. They want to make this a really great experience. And you know, for those of you that are interested in buying tickets, beware of these sites. And there is, of course, the official Olympics website to purchase those. >> Yeah, part of what's frustrating here is that it's not like you have to go digging into the back alleys of the internet to find this website. I mean, as you say when we started here, this is the second thing that pops up if you do a very broad, innocent Google search for the Paris Olympics. I mean, to me, that just that is kind of maddening itself. I think we're in an interesting space right now where threat actors are using a lot of different methods to distribute fraudulent content. Of course, you know, malicious ads are one thing, SEO poisoning. You have things like fake updates, so compromising legitimate websites with malicious web injects to deliver malware. So there's a lot of things that threat actors are using that appear benign or peer legitimate but are actually malicious. And so unfortunately, a reality of life as a digital native is that you have to be really mindful of what you're clicking on. And if you are looking for something very specific, make sure that you're only visiting trusted websites. Of course, a search of Paris 2024, whatever, unfortunately showed something that wasn't the legitimate website. But if you scroll past the sponsored ads, then you really land on, okay, this is the Paralympic and Olympic 2024 games in Paris and have all the information you need. But yeah, it's really important to be mindful of a lot of this. And unfortunately, we can fall into some of these traps very easily if we're not really paying attention, if we're just kind of clicking on things, minding our own business, going about our day-to-day. It's very similar to what we see with social engineering and emails, trying to make something look believable so you'll engage with the content and send money or data or something that you shouldn't do a threat actor. Yeah, it's very interesting and I honestly was kind of surprised. I was like, this is weird, but I guess this is just what it is, and especially around major events like the Olympics, you're going to see fraud occur. Yeah, how do you rate the sophistication of this particular group compared to others that you've seen? Well, in this particular case, we didn't dive into the who behind it. But in terms of the setup of the website, the association with other likely fraudulent or suspicious websites, they do put some effort into making this look legitimate. However, if you do kind of push beyond the window dressing, it doesn't have the ring of authenticity that you might see from some very, very well-designed websites. You have, like I mentioned, a lot of them are spellings, grammatical errors, WhatsApp contact, things that they appear to have copy pasted some language from potentially other fake ticketing websites on their website. So I think it wasn't really that sophisticated, but it is notable that they are appearing or were at this point appearing in advertisements. But I think with vigilance and hopefully work, thought researchers, the folks working on the Olympics, the law enforcement can do due diligence and get some of these things taken down. Yeah. What are your recommendations then? I mean, for folks to best protect themselves against this, what should they do? So it's so important that if you are buying tickets to the Olympics, go to the legitimate website that is there for that purpose. They have a note on there that there's only the Paris Olympics website is available for people interested in purchasing tickets. But in general, if you're looking for something like Taylor Swift or Coldplay or some very popular artist or sporting event or something that tends to be a very high interest, high value type of event, you really want to make sure that you are purchasing tickets through the legitimate websites. And a lot of times that is going to be through a reseller like Ticketmaster or StubHub. But if you go to the website of the organizations that you're interested in watching, like I mentioned, Liverpool FC or any other sort of, you know, sporting franchise, navigate to their website and see where do they recommend I buy tickets? Because oftentimes, googling around things, you might fall into some traps. Sometimes you'll see too good to be true, so to speak, offerings for a lot of these things. And typically, if it sounds too good to be true, it really is. So really be mindful, go to the authoritative sources, you know, make sure that if you see something that's a little bit sketchy, googled around, you have other people are reporting on the domain being sketchy or scammy. And chances are you'll have some good luck, saying safe if you sort of follow these best practices. And that's Research Saturday brought to you by N2K Cyberwire. Our thanks to Selena Larsen from Proofpoint for joining us. The research is titled Scammers Create fraudulent Olympics ticketing websites. We'll have a link in the show notes. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. We'd love to know what you think of this podcast, your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes. We're mixed by Elliot Pelsman and Trey Hester. Our executive producer is Jennifer Ivan. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilby is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at M-WISE, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-WISE features one-to-one access with industry experts and fresh insights into the topics that matter most, right now, to frontline practitioners. Share early and save at M-WISE.io/Cyberwire, that's M-WISE.io/Cyberwire. [MUSIC]
