Special Olympics of New York, a nonprofit organization focused on competitive athletes with intellectual disabilities, had its email server hacked around this year’s Christmas holiday and later used to launch a phishing campaign against previous donors.
Special Olympics NY provides sports training and athletic competition to more than 67,000 children and adults with intellectual disabilities across New York State (66,835 registered athletes and unified partners according to this fact sheet).
The nonprofit sent a notification to disclose the security incident to the people affected, urging the donors to disregard the last received message and explaining that the hack only affected the “communications system” that stores only contact information and no financial data.
“As you may have noticed, our email server was temporarily hacked. We have fixed the problem and send our sincerest apologies,” an email notification from Special Olympics New York told donors.
“The hack was to our communications system, which only includes your contact information and not any financial data,” the notification stated. “Please be assured that your contact information is protected and has been kept confidential.”
Phishing for credentials
The phishing emails delivered by the attackers was camouflaged as an alert of an impending donation transaction that would automatically debit $1,942,49 from the target’s account within two hours.
Using such a short time frame allowed the phishers to induce a sense of urgency designed to make the Special Olympics NY donors click on one of the two embedded hyperlinks, links that would supposedly redirect them to a PDF version of the transaction statement.
“Please review and confirm that all is correct, if you have any questions, please find my office ext number in the statement and call me back,” the phishing emails said. “It is not a mistake, i verified all twice. Thank you, have a great weekend.”
The phishing email utilized a Constant Contact tracking URL that redirected to the attackers’ landing page. This page has since been taken down but was most likely used to steal donors’ credit card details.
In a statement, SVP of External Relations for Special Olympics NY Casey Vattimo said that donors can now make donations securely as the issue has now been fixed.
Additionally, all amounts donated to Special Olympics NY through December 31 will be tripled courtesy of Finish Line. If you wish to, you can donate by going to this donation page.
Olympics staff targeted in cyber-attacks
In related news, Tokyo 2020 Summer Olympics staff also issued a warning alerting of a phishing campaign that delivered emails designed to look like coming from the Tokyo Organizing Committee of the Olympic and Paralympic Games (Tokyo 2020).
They also said that the malicious emails most likely redirected the recipients to landing phishing sites or infected the victims’ computers with malware if opened.
Last year, in February 2018, destructive malware dubbed Olympic Destroyer was used to sabotage systems of the Pyeongchang 2018 Winter Olympics as part of a coordinated attack that led to IT problems the opening ceremony such as failing Internet and television systems.
Two weeks before the Pyeongchang incident, McAfee researchers also released a report on a Powershell-based malware strain that was used to target the same Olympics organizers right before the event’s start.