Cyber Attacks continue to increase – be prepared

Date: 18/06/2024

Category:

The number of cyber-attacks targeting venues has increased drastically over the last years. Venues need to prepare themselves for such incidents, as the question is no longer “if” but “when”. One element to include in this preparation is the education of our clients, as a recent scam demonstrates. Next to that, it is also important to share information, even if a successful attack is not a venue’s finest moment. 

For 2 years now, AIPC has put a Cyber Task Force in place. The purpose is threefold: collect and analyze data on cyber-attacks targeting convention centers, exchange information between venues via webinars and inform the community on the types of cyber attacks and the impact they have via an intelligence newsletter.  Of course, AIPC itself does not have the knowledge to do so and therefore we have created a partnership with a global cyber security company, Paratus from Estonia.   

The way it works is very straightforward. AIPC members send information on incidents (varying from spamming via e-mails to attempts to hack systems) to a central secure mailbox, hosted by the AIPC but managed by Paratus. The information is then securely anonymized, collated, analyzed and transformed into a report which is sent out on a monthly basis. What we have seen in these two years is both a drastic increase in intensity (the number of attacks) and the level of sophistication.  

Phishing (broad attacks via emails to obtain confidential information) and spear phishing (personalized emails, targeting individuals) remain by far the most popular method of attack (41% and 32% respectively) and the number continuous to increase (by 9% this year so far). What is, however, a growing area of concern is the level of sophistication. These are no longer e-mails which are badly written and/or full of spelling mistakes. The content looks genuine, is often embedded in an e-mail chain (making it look like an exchange of e-mails took place) and contains links or icons which look very real (e.g., the logo of Docusign, a platform used by many companies to digitally sign documents). 

Very recently, a new type of attack was discovered. Cyber criminals got hold of a list of exhibitors of a recurring event and reached out to them; often by the event centres themselves highlighting them online; pretending to be the sales team of the venue and making an offer “which could not be refused” but which required payment within 72 hours. What made this case so interesting is that it proves to be quite simple to put up such a scam and make it look real. The key element is something called “domain name”, the part of a network address that identifies it as belonging to a particular domain (e.g. @aipc.org). On websites like GoDaddy, domain names can be purchased for a relatively small amount for a period of 3 years. We invite all of you to have a look and introduce the domain name of your company in the search engine. You will be surprised how many similar domain names are available.  

Once the domain name is purchased, it is very straightforward to clone the website of the real company (not every feature needs to work) and to create mailboxes using the names of the real persons working in the company but using the similar domain name purchased. For example: John@aipc.org becomes John@aipc.com). The likelihood that the client would notice the difference is limited, especially if the message sent includes a sentence like “… and have a look at our new website”.  Once all this is in place – can be done in one day – the actual work can begin: reaching out to all the exhibitors with the fabulous offer if paid within 72 hours.  The impact of the scam is threefold: the reputation of your company is damaged, your clients have lost money (and might blame you for it) and there is the cost to repair the situation. One further issue that unlike any other physical accident that only happens in the digital realm, is that the recovery takes years.  

What this case also demonstrates is the need for education, not only within your company (e.g., making sure that list of clients, contact information, etc. are not available on your website) but also with your clients. While there are several techniques to secure communication (e.g. two-factor authentication), your client needs to be aware of them and should indeed report any communication received which does not comply with the communication policy agreed upon. Just ask yourself the question: would your client notice if this happened, and would you client trust you? 

AIPC and Paratus will continue to collect and analyze data, inform our members and organize education on this topic for the AIPC community but we would encourage everyone to have a discussion on this topic within your organizations and make sure you have a plan in place. Because it will happen.

Note that the first ever AIPC Cybersecurity bootcamp will take place at the ECCL in Luxemburg from 9-12 September. Do not miss it! Register today. More info here.

Sven Bossu, CEO AIPC 
Robert McClure, Managing Director, Paratus 

Scroll to Top