MISCELLANEOUS

Rogue Apps Might Spoil Your Fun around Champions League Final

Placing a bet in favor of your favorite team around the Champions league final can get real ugly for your bank account

E-mail lotteries, last minute tickets bargains, surprise ticket winnings and promo vacation package for the Champions League final are flooding the Internet this month. It may be difficult for you to be able to filter all that’s coming to you these weeks, since all these scams are ever more perfected as they prove to be extremely rewarding for the crooks.

Taking advantage by the increased search queries placed with popular search engines around highly-mediatized events such as football cup finals, concerts, royal weddings or famous people’s death, cyber-criminals set up both old and new traps for enthusiastic and curious computer users. The Champions League final is no exception to the rule as various baits are thrown at fans who might get lured into taking a costly “opportunity”.

These past years, our labs saw a couple of social engineering-based scams especially crafted to take advantage of fans around important soccer competitions. One of them is the Champions League E-mail Lottery according to which “the Local Organizing Committee of the European Champions League” was “glad to announce to the world the giving away of the sum of SEVEN HUNDRED THOUSAND UNITED STATES DOLLARS to 100 lucky email addresses all over the world.” The users’ e-mails were claimed to have been randomly chosen “through a computer ballot system drawn from over 1,500,000 companies and individual E-mail addresses database”. All they need to do was fill in a form with a lot of sensitive data amongst which name, address, e-mail, occupation, country and credit card info. The crooks were this way able to put their hands on a large amount of info, which later on could be used for malicious activities such as spam, money mulling or impersonations.  

Another malicious initiative spotted around the Champions League final was a spam campaigns meant to target UK-based football fans that were of course eager to get a ticket to the final. The scam ran like this: the users had to send an SMS message to a short telephone number and vote for their favorite team in order to sign-up for a free-ticket lottery. This SMS, however, cost the UK football fans “£5 excluding VAT," which alone brought the crooks a significant gain. Needless to say, that no one ever won a ticket to the final out of that scam.

Euphoria, friends, favorite team might end up badly. For this year, I would like you to imagine the following scenario: it is Saturday, 28th of May and you are with your friends watching the confrontation between FC Barcelona and Manchester United FC. The game turns out to be as you’ve anticipated and you decide even to place a bet. But make sure this bet doesn’t cost you too much in the end. Wi-Fi enabled mobile phones present a high risk with respect to the privacy of your data transfer. The login credentials can be intercepted somewhere in between your smartphone, PC or laptop and the betting website. 

The Internet is full of rogue applications containing dodgy code meant to steal sensitive data from your smartphone. All these applications are “malformed” versions of legal apps (such as Photo Editor,Scientific Calculator, Super History Eraser, Super Guitar Solo, APP Uninstaller only to name a few) which could easily make them pass as safe since some of the users have already downloaded a few of the legit ones. This is what we call hiding in plain sight.  

Google has banned a lot of these dangerous applications from the Android Market in order to protect the unwary users from becoming targets. However, it is not safe to say that all the malicious apps are out, since around events their number usually starts growing and they become targeted, thus harder to spot. And once downloaded onto the mobiles, these well-disguised spies “agents” start gathering critical data that is immediately sent to crooks while also leaving a backdoor open for future remote wrong-doings.

Some other applications impersonate e-banking or stock manipulation services, but instead they are mere phishing tools that simply deprive you of your credentials first to either rob you or steal your identity later on. So should you decide to place a bet via your smartphone and you are not paying attention to the app you are using in this direction, then you might end up accessing a page that has been spoofed or had been created for such events only that is designed to take your credentials and end up with your money and/or your identity. 

Spam and phishing carrying e-mails may also bombard you these days around the Champions league finals. Crooks may feed you either a nice story about you being the lucky winner of a premium ticket to the final at Wembley or links towards your favorite online betting website, where you can make a fortune. But whatever you do, firstly make sure that you land on the right page by checking the browser’s URL bar and also look for the presence of a security certificate. Manually entering the website’s address may prove to be a blessing in this case as compared to taking a chance and clicking a link received through instant messaging services or via mail.

Crooks come up with various scams created to meet the exact need and interest of a variety of computer & smartphone users. That is why you need to proceed with caution when you decide to buy a ticket from eBay, for instance. It is possible that, although advertised, the item doesn’t exist and chances are that you end up paying for something that will never be delivered to you. Moreover, never consider yourself as lucky as to win a ticket if you’ve never signed up for such a contest.

Last, but not least, if you’re a fan of “Artificial Intelligence”-based predictions, be careful as to what prediction software you’re using. Around sports events, malware creators usually come up with rogue “sports prediction software”, which are highly expensive applications that randomly display the “probable” scores. Other such applications which are distributed for free can carry malware, so make sure that you’ve scanned them with an updated antivirus before using them.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About the author

Loredana BOTEZATU

A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.