Why Super Bowl Is a Gold Mine for Mobile-Device Hackers

Fake WiFi networks, spoofed Websites and emails, and false coupons can cause super problems for fans attending Super Bowl XLIX.

Whenever large numbers of people with mobile devices gather in one place, hackers lurk in the shadows. Events such as this weekend's Super Bowl are certainly a focal point for sports fans and gamblers, but they also are a window of opportunity for bad actors to do their dastardly, untaxable business.

Following a year of one-after-another data breaches that included high-visibility hacks of Sony's email, Target's point-of-sale stations and dozens of other high-profile events, Super Bowl XLIX's mobile security is on super-high alert.

In Phoenix, Ariz., this weekend, there are an estimated 100,000 visitors to the area, and most of them will create mobile transactions that will move an enormous amount of high-stakes data. Mobile security must be a high priority at the Super Bowl this year.

How the Hacks Happen

Hacks into devices used by Super Bowl ticket-holders can happen in several ways:

--by logging on to local free WiFi networks, which is far and away the No. 1 cause of fraud actions;

--by responding to false special-offer coupons, emails or texts while in the stadium; and

--by clicking on a spoofed Website that uses automated action to gain access to personal passwords, calendars, banking information or other sensitive data.

These types of intrusions are traps that users can fall into at any time, but amid the noise and excitement at an event like the Super Bowl—and with the sheer numbers of mobile device users present in a single location—these missteps happen dozens of times a minute. Hackers, who can be located anywhere in the world, are only too happy to pick up the pieces of such mistakes.

"In the past, we've seen an incredible number of threats caused by the free WiFi networks at airports," Adi Sharabani, CEO of Palo Alto, Calif.-based Skycure, told eWEEK. "We expect to observe an increase in total risk affecting mobile users around the Phoenix, Ariz., area as we approach Super Bowl Sunday."

New Tricks Are Expected

Sharabani's enterprise security-services company is red-flagging the Super Bowl for a potential new wave of sophisticated device-level and network-based attacks. The sophistication of attacks, he said, rises proportionally with the potential ROI of the event—and the Super Bowl is one of the best such events in the world for hackers.

What hackers are looking for before, during and after the game is user data, such as passwords, private emails and photos, and calendar events. Hackers can also use ploys such as malicious profiles to gain bank account details to perform automated transactions or other actions on a victim's "behalf," Sharabani said.

Here is a short video demonstrating the capabilities a hacker can gain on your device when you connect to a malicious network.

Free WiFi networks are by far the most troublesome attack surface for both network-based and malware attacks. On average, Sharabani said, Skycure identifies a potential threat in 10.1 percent of all networks. "Visitors to the Super Bowl in Phoenix should be especially cautious about getting onto any WiFi network or using a mobile phone in and around the Super Bowl stadium," he said.

Trickery is the Key Factor

At the Super Bowl, there will likely be a variety of threats, Sharabani said. Common ones identified in the past include the "Evil Twin" attacks and app spoofing.

"We also see a lot of legitimate services that capture users' emails and personal data," he said. "We have seen many cases where attackers direct their attacks on these services and gain access to sensitive data. Usually targeting Android users, malicious apps get installed onto devices by trickery as distracted users click too quickly on what appear to be complementary services. iOS devices are also vulnerable as malicious profiles, wirelurker and masque attacks become increasingly prevalent."

Another piece of advice: Do not click "Continue" on suspicious pop-ups. "Did you know that 92 percent of users click on 'continue' buttons without realizing the exposure risk?" Sharabani said.

"The main piece of advice I would offer is this: Just be careful. If you see an email, a Website, a text message, a coupon—anything—that does not look familiar, be wary. Don't get caught up doing something on your phone you do not normally do. This is where people get into trouble," Sharabani said.

Skycure is alerting the public to identified threats via Twitter: @SkycureSecurity #MobileSecurity #SuperBowl. Super Bowl visitors can also actively search for the current threats by going here.

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 13 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...