March Madness or March Badness?

In a uniquely American springtime tradition, the NCAA Tournament is once again upon us, which will determine which teams reign supreme on the college basketball front. For those outside the US, it’s probably mystifying why basketball on a university level would possibly be so interesting, but Stateside, the tournament’s popularity is nearly unrivaled (the annual NFL season may trump it for overall engagement, but perhaps just barely).

It’s better known as March Madness. This is the time that NBA talent scouts are out in force, and it gives us a chance to marvel at and handicap the next generation of pro stars. As far as basketball goes, the games are more exciting than the matches on the professional level (these 40-minute games tend to be incredibly close and scrappily fought), but there’s actually one main reason everyone goes gaga for the tournament: money.

As you read this, there are people of all walks of life that have spent an ungodly amount of time preparing their predictions for winners and losers (in local parlance, they have “chosen their brackets”), dumping money into office pools and online betting engines, planning weekend trips to Vegas and figuring out how to stream the games to keep on top of what’s happening out there on the paint, even while at work.

Plus, billionaire Warren Buffett is offering $1m for every year of life to any of his employees who can pick a perfect NCAA tournament bracket (i.e. all the winners) through the Sweet 16 (that’s the Round of 16 equivalent, for you soccer/footy fans). This year, he said he’ll double the prize if a team from his home state of Nebraska takes the title.

It is against this heady, greenback-scented backdrop that cyber-criminals are looking to work their dark arts. Phishing mails, fraud lures, fake betting and streaming sites and more will inundate the landscape over the next few weeks, potentially providing more angst to victims than a flustered LeBron James could ever muster.

“March Madness is back and with it comes a great opportunity for cybercriminals who are intent on making some quick cash,” said Steve Durbin, managing director of the Information Security Forum, via email. “Email infection, fake betting websites and traditional phishing attacks are all expected to have their day in the sun. The number of winners over the next couple of weeks will be pretty astonishing, however, just be sure you’re on the right side and don’t end up becoming another statistic on the losing side.”

Fortunately, there are steps to take to protect oneself, mainly revolving around common sense (which, arguably, goes against the “madness” in March Madness).

“First of all, avoid emailed requests to participate in polls, surveys and contests related to March Madness, unless you know that you personally signed up to be a part of such things from a known, and reputable, site,” said Nathan Wenzler, chief security strategist at AsTech, via email. “Unsolicited appeals to sign up and provide information may be efforts to steal your personal information. Likewise, never click on links or attachments in emails. If you're involved in a tournament bracket, enter the site into your browser directly.”

He also warned that phishing emails may eventually forward you on to the right site, but they can simply also take over the session to direct you to other sites that download ransomware or malware to your system before they forward you along.

“Lastly, never share personal information such as passwords, account numbers, answers to personal verification questions or any other sensitive information that can be used to identify you,” he added. “If you're not sure whether an email is authentic or not, the best thing you can do is ask. Legitimate organizations have ways to validate emails from their site through their web sites and/or support teams.”

Dan Lohrmann, chief security officer at Security Mentor, noted that the onslaught of criminal activity should be expected, as criminals look to hoop major wins for this and other popular sporting events. We can expect activity around the upcoming World Cup, for instance, to be just as virulent.

“With March Madness, just as in other major sporting events where millions of people are watching, bad actors are going to try to make money using time-tested, fraudulent means,” he said. “These online trends almost always play out before, during and after the events take place. Cyber-criminals are completely prepared for the excitement and hype surrounding March Madness by infecting emails with malware, creating fake betting websites and growing the number of phishing attacks they carry out.”

What’s Hot on Infosecurity Magazine?