The final month of the Islamic calendar, Dhu al-Hijjah, began on June 7, marking the countdown for millions of Muslims to the Hajj pilgrimage, and also a time when cybercriminals and cyber-espionage actors see increased opportunity amid reduced vigilance and slimmed staffing.

While many of the cyberattacks are focused on pilgrims as consumers of travel services, a variety of businesses — from banks to e-commerce sites — are at greater risk of data theft and denial-of-service attacks, according to experts. On June 3, for example, cyberthreat actors announced a data leak on an underground forum that allegedly contained the personal information of 168 million users from “The Hajj and Pilgrimage Organization in Iran,” according to cybersecurity firm Kaspersky.

The attacks highlight the two aspects of how cyberattackers see the Hajj season: as an opportunity to take advantage of pilgrims, but also as a time of reduced resources for security teams, making business and government agencies vulnerable, says Amin Hasbini, head of global research and analysis team for the Middle East, Turkey, and Africa region at Kaspersky.

“Companies in the Middle East and other regions need to exert extra caution during holiday seasons such as Hajj — the absence of certain employees needs to be accounted for to ensure smooth operations and maintaining security efficiency and productivity,” he says. “Overall, it’s challenging for companies to have the right resources available and ready, in addition to the right policies and plans to complete the handover transition correctly, creating weaknesses that could be abused by threat actors.”

The Hajj, which starts on the eighth day of the Islamic month and lasts four to six days, marks nearly a week of religious holidays for the Middle East and for an estimated 2 billion Muslims worldwide.

While Kaspersky sees threats affecting Saudi Arabia and other countries in the region drop by as much as 30% during the week of the Hajj, cyberattacks then quickly rebound. In 2022, for instance, when Saudi Arabia once again opened the annual Hajj pilgrimage to the world following the COVID-19 pandemic, cyberattacks doubled to more than 2 million during the month of Dhu al-Hijjah, which officially starts with the appearance of the new crescent moon.

While Saudi Arabia did not report data on cyberattacks in 2023, other countries have seen similar increases in attacks, says Shilpi Handa, associate research director for security at IDC’s Middle East, Turkey, and Africa group.

“Annually, there’s a significant surge in cybersecurity incidents reported by multiple security organizations in the Middle East,” she says. “Similar findings are reported all over the region after the conclusion of Hajj each year.”

Cyber Scams

The cyber threats linked to the Hajj pilgrimage typically begin early in the year, as cybercriminals aim to take advantage of Muslim adherents planning to make the trip to Saudi Arabia. Attackers use fake travel agencies, social media scams, or attacker-controlled online registration sites to entrap unsuspecting victims. Saudi Arabia’s Ministry of Hajj and Umrah, which manages services and infrastructure around the pilgrimages, launched a government platform, Nusuk, that connects prospective pilgrims with legitimate operators and sites, which has significantly reduced fraud.

However, advanced threat actors have used messages and notifications about the Hajj as a way to lure employees into opening links and attachments in email. From January to May 2024, for example, an India-linked threat group — alternatively known as Sidewinder and Rattlesnake — has used Hajj-related emails to target users in Asia and Africa, according to Kaspersky.

The problem for many companies is that employees often use their business email in Web forms, or expose themselves to threats through social media, says Shawn Loveland, chief operating officer for Resecurity, a global cybersecurity service provider with clients in the Middle East.

“It’s concerning how many employees use their business email on personal websites,” he says. “If their PII gets scammed, now the threat actors know where you work. … Employers should be helping to educate their employees about online fraud, because in addition to protecting the employee, it will protect the business.”

As part of its effort to combat fraud, Resecurity detected and blocked more than 630 social media accounts publishing scams targeting people preparing for Hajj season, the company stated in a report on Hajj-related fraud.

Defending With Reduced Head Count

Saudi Arabia has taken the threat seriously. The country’s National Cybersecurity Authority (NCA) conducted a comprehensive cyber exercise with more than 200 agencies represented by more than 600 officials and specialists, with a specific focus on cybersecurity during the Hajj season.

The exercise, which the country also conducted the previous year, leaves it well-prepared to handle potential cyber incidents, IDC’s Handa says.

“Drills are [being] conducted across the region to counter cyberattacks,” she says, with the government “establishing a 24/7 cyber-operations room to monitor and analyze cyber threats and share results with national agencies, allocating cyber-incident response teams, and conducting assessments to measure the cyber-risks of sensitive assets.”

Businesses should take a page from Saudi Arabia’s playbook, says Kaspersky’s Hasbini. While attacks typically drop off for the week around the Hajj, security teams are also short-staffed, often leaving response times slower. Planning to identify and respond to incidents under such restrictions makes for good preparation.

“While the risk of mistakes by an insider is lower when employees of an organization are out of office, we see a bigger risk if the responsibilities of employees in the IT or IT security departments … are mishandled or simply ignored, opening up weaknesses for attackers to abuse,” he says.

Companies should be clear in their delegation of duties when there is a shortage of cybersecurity specialists and establish clear protocols for communications, Hasbini says.

Source: www.darkreading.com