League profiles provide cybercriminals with the details needed for a targeted phishing campaign
Companies are considering blocking access to fantasy football sites because of security and productivity concerns. Sophos, a world leader in IT security and control, is urging online fantasy sports fans around the world to rethink their game strategies as league profiles could be used for targeted phishing attacks stemming from information posted on these sites.
Research conducted by Sophos has discovered that players of online games like Fantasy Football often post their real names, email addresses and even phone numbers. This information paired with personal preferences, such as favorite teams and players, provides a cybercriminal with all the information needed to design and orchestrate a successful phishing campaign that could steal additional personal information, illicit money or load malicious spyware or viruses onto a desktop.
In the US, the National Football League (NFL) is now top of mind for millions of sports enthusiasts. Spam messages offering fantasy football newsletters, player statistics and inside information on rising NFL stars can be crafted to look like something a fantasy player would typically register for, increasing the likelihood of a click through from the spam message. However, these emails could contain malicious content or hyperlinks designed to infect computers with spyware or steal passwords and username information.
For example, an NFL-themed version of the Storm worm (also known as Dorf), has in recent days been spammed to fans under the guise of a game ticker when in reality it contains malicious links that can lead to denial-of-service attacks.
A recent survey by Sophos has revealed that many workers are accessing Fantasy Sports websites from the office, potentially putting their company's data at risk.
Sophos's survey discovered that:
More than 70% of employees polled participate in fantasy sports leagues
65% of those monitor their team's performance from the office
"As fantasy sports leagues are gaining popularity everywhere, its imperative that users remain educated on potential security threats that could arise from fantasy play," said Ron O'Brien, senior security analyst at Sophos. "Fantasy players should be extremely cautious about the information they provide in their profiles and should also review and utilize the security settings provided by each fantasy league. Knowing someones favorite football team and email address increases a hackers success rate by playing off a persons interests."
In a separate survey, Sophos has revealed that a total of 65% of administrators said that employees should not be able to access fantasy leagues websites from the workplace:
Survey question - Do you think people in your company should be allowed to access Fantasy Football/Baseball/Hockey websites at work?
- Yes 35%
- No 27%
- No, and I'm sick of people wasting time at work! 38%
Sophos online survey, 200 respondents, 6 - 11 September 2007.
"It's clear that businesses are seriously considering restricting access to these kinds of sites. Employees may not like it, but websites like these can represent a security risk if used carelessly. Unless there's a work purpose, many firms do not see any reason why staff should need to access them during work time," continued O'Brien. "Companies are increasingly looking to secure and control their workers' web activity because of the impact it can have on the company in terms of productivity, bandwidth and security."
To avoid personal or corporate security risks, Sophos reminds users to always verify the authenticity of any message they receive prior to clicking any links or opening attachments.
Sophos recommends companies protect themselves with a consolidated solution which can control network access and defend against the threats of spam, hackers, spyware and viruses.