Billions of Football fans worldwide were thrilled last month as the UEFA Football Champions League entered its group stage. 32 of the best clubs in European football are now competing for the cup. According to the Telegraph, Man City has the best shot of winning the tourney this year, followed by Paris Saint Germain, Liverpool, Bayern Munich, Real Madrid, and Tottenham. And while the best players in the world play on the field, cybercriminals are set to embark on a very different game – one played in cyberspace.
You don’t think of football when discussing cybersecurity, but there is little difference between a major football club and other enterprises regarding an attacker’s motivation. Why would a threat actor try to target a football club? First, football clubs depend on online functionalities for their day-to-day work. Fan outreach, internal communications, scouting routines, and more all rely on the internet. In November 2020, Manchester United announced that it was targeted and breached by a disruptive attack that prevented club staff from accessing their emails and other functionalities, according to Sky Sports. Such a scenario is a textbook example of a ransom-motivated attack to which clubs are susceptible.
Second, like retail chains, entertainment companies, or large corporations, football clubs often manage e-commerce shops for their merchandise and store lots of fans’ sensitive data such as payment information used to buy tickets to games and stadium tours, personal information like account logins, home addresses, and phone numbers, in-stadium preferences, and many other data points.
To understand how targeted the major European football clubs are, we double-clicked on one of the most popular services available today in the cybercrime underground — Initial Access Brokers (IABs). These markets sell access to compromised endpoints for as little as $10, allowing threat actors to get a beachhead into almost every enterprise and vendor. Unfortunately, football clubs are no different.
According to our data, more than 5,000 compromised logins (usernames and passwords) of Champions League football clubs’ websites were offered for sale on IABs markets over the last 12 months. Unsurprisingly, more than half of them were logins to Barcelona, Liverpool, Manchester City, and Juventus websites.
Assuming that the amount of compromised endpoints represents how targeted a specific football club is, we tried to understand why some clubs are bigger targets than others. We have found several parameters that affect a club’s popularity among cybercriminals:
The country of origin: On average, the English teams were more targeted than teams in any other country. Italy, Spain, France, Portugal, and Germany follow behind — which almost matches UEFA’s country rankingscoefficients: England, Spain, Italy, Germany, France, and Portugal.
The popularity of a club: It’s hard to determine a club’s popularity objectively, but generally speaking, teams that were searched more frequently on Google were more likely to be targeted. The logic is straightforward: searching a club’s name on Google can indicate a desire to buy tickets to the club’s matches or purchase its merchandise — which both usually require a login to the club’s website.
The ranking of a club: There is some correlation between clubs’ hierarchy in UEFA’s club rankingscoefficients and how much threat actors target a club. A thriving club will attract more visits to its website; hence more fans will register to the site to buy match tickets or merchandise. That said, there are a few anomalies in the data, e.g., Atletico Madrid has a small number of compromised logins, although it is ranked 9th in the continent.
The club’s Go-to-market strategy: Some clubs prefer to sell match tickets and merchandise using in-house services, while others prefer to outsource and use a ticket exchange platform. This difference may explain why 2022 Scottish champions Celtic FC had 0 logins sold on the cybercrime underground, as Celtic FC uses eTickeing.co.uk to sell tickets to its matches. On the other hand, Rangers FC, which finished last season in 2nd place, had more than ten logins sold on the cybercrime underground.
Lastly, according to our study, the most targeted group this year is Group C (Barcelona, Bayern Munich, Inter, and Viktoria Plzen), while the “safest” group is Group B (Atletico Madrid, Club Brugge, Porto, and Bayer Leverkusen). May the best club win the 2022/2023 UEFA Champions League!
Table for an infographic:
The UEFA Champions League is just like any other type of money-making initiative. When there is an online entity generating revenue, gathering and storing sensitive customer information, and accessible from devices that can be compromised, even a football club becomes a likely target of cyber criminals and can be broadly exposed on the deep and dark web.
To counter these threats, we recommend that sports franchises – and any other enterprise – take steps to monitor underground channels. Doing so can help them detect nefarious activity and compromised assets, and take responsive action before they are purchased and used to launch an attack.