Zscaler ThreatLabz is always on the lookout for threat actors trying to take advantage of major world news and events. The FIFA World Cup 2022 has brought with it a spike in cyber attacks targeting football fans through fake streaming sites and lottery scams, leveraging the rush and excitement around these uncommon events to infect users with malware. Similar to the rise in sites and cyber attacks observed in 2020 during the Tokyo Olympics, recently ThreatLabz has observed an increase in newly registered domains related to the FIFA World Cup. Not all of these domains are malicious, but as defenders it is important that we classify all newly registered domains as suspicious and conduct analysis to weed out hidden offenders.
Below is an overview of the traffic trends and cyber attack campaigns observed around the upcoming FIFA World Cup event.
Key Points
- As the FIFA World Cup nears, ThreatLabz researchers have observed a significant spike in new streaming sites with newly registered domains.
- Fake streaming sites are also using legitimate websites/ portals to post fake streaming links.
- Attackers are seen targeting users with multiple related scams like World Cup match tickets, airline tickets, and themed lottery draws etc.
- Different malware families have been jumping on board and leveraging the FIFA World Cup event to target football fans.
- Attackers are also targeting users with the malicious cracked version of the games related to FIFA/football.
- Most of the malware and scam campaigns leveraging the ongoing FIFA World Cup are using newly registered domains.
Traffic Trends
As the FIFA World Cup started ThreatLabz saw a significant increase in the number of streaming transactions starting on November 21st.
Case Study 1 : Fake streaming sites
ThreatLabz observed a spike in fake streaming sites and other scam sites that claim to be offering free streaming of the FIFA World Cup matches but instead redirect users and then prompts them to enter payment card details. Similar templates for fake streaming sites appeared in 2020 during the Tokyo Olympics. In most of the current and past cases observed by the researchers, newly registered domains are used to host the scam sites but in a few examples legitimate established sites like Xiaomi, Reddit, OpenSea, and LinkedIn host fake links that redirect to the malicious sites.
Figure 1: Fake streaming site link posted on a Linkedin profile and the redirected fake site.
In the campaign shown above, victims are enticed to visit a malicious site claiming to provide live streaming of the FIFA World Cup 2022 opening ceremony. The site then redirects to a fake streaming site hosted on Blogspot and users are prompted to create an account for free access to watch the live streaming event. In another example, a link to a fake streaming site hosted on OpenSea does the same thing.
Figure 2: Screenshots showing fake streaming site and related link posted on OpenSea.
As the user enters their email address and password credentials to create a new account, they undergo multiple redirects which finally land them on a YouTube video.
Figure 3: Redirection chain.
Visitors to many of these fake streaming sites are prompted to provide payment card details within form templates similar to the one seen below.
Figure 4: Fake streaming site payment page.
Case 2: FIFA WorldCup related scams
As the FIFA World Cup kicked off, researchers observed a rapid rise in threats and scam sites related to the event. Many newly registered sites offering World Cup tickets are being hosted by scammers trying to trick users into paying for fake tickets. The threat actors behind these scam sites are typically trying to collect fake ticket fees or steal payment card details. In the example shown below, a suspicious pop-up site offering World Cup match tickets was recently registered on Nov 15th. Due to the high number of scams like this one, many organizations select to block, limit, or analyze newly registered domains, categorized as less than 10 days old.
Figure 5: Fake FIFA match ticket site.
These ongoing scams are not limited to the World Cup match tickets but instead extend to many aspects of the ongoing FIFA World Cup fever. ThreatLabz has also observed a scam where users are offered prize money and airline tickets by Qatar Airways. The domain for the related scam site, shown in the screenshot below, was registered on Nov 11th, this timing suggests to researchers that the attackers behind this attack site are targeting World Cup fans.
Figure 6: Scam website with fake Qatar airline lottery message.
Attackers are also seen targeting users by sending fake lottery emails and pretending to be a Qatar FIFA World Cup 2022 lottery committee. Below is one such email which has an attached PDF with the lottery details.
Figure 7: Scam email imitating the FIFA organizing committee.
In this scam, an email with a PDF attachment identifies the target victim as the prize winner of a large lottery drawing. Users are asked to open the attachment and send their personal details to claim the award money.
Figure 8: PDF file attached to the scam email.
Case 3: SolarMarker malware activity
SolarMarker is a well-known malware family with infostealer capabilities that use Search Engine Optimization (SEO) manipulation techniques to lure in victims and deliver the initial payload. Most commonly, ThreatLabz researchers have observed these attackers hosting the malicious PDF files on compromised Wordpress sites with discoverable URLs and search engine results. ThreatLabz observed a few cases where SolarMarker is targeting the football fans trying to buy WorldCup stickers from compromised ecommerce sites. When the user clicks to download one of these fake PDFs they are automatically redirected to a hacker controlled site that delivers the malicious Microsoft's Windows Installer (MSI) service payload to perform the rest of the attack.
Figure 9: Malicious PDF file hosted on the compromised site.
Case 4: Fake cracked FIFA game distributing infostealer through PDF
Attackers are using malicious PDF files hosted on compromised websites to deliver infostealers by luring users to download what they think is an illegally cracked recording of the FIFA games. In August, ThreatLabz observed a similar threat campaign for fake pirated software downloads, but in comparison, these new discoveries feature several enhancements along with the use of malicious PDFs. Notably, these attackers are also using SEO manipulation techniques to list the malicious PDF links in ‘cracked FIFA games’ search engine results. As noted in the August threat campaign, one of the key characteristics of these threats is that they target victims that are doing something they shouldn’t be - like searching for versions of pirated software and cracked games that require payment for legitimate access. Targeting this type of fringe risk-taking behavior by users definitely gives attackers an advantage, because victims are already expecting a shady and unfamiliar site run by hackers. Additionally, the ability to verify the safety of a site, link, or file is beyond the technical capabilities for most general visitors.
Figure 10: Malicious PDF file that downloads malware.
As the user clicks to download the PDF, they are instantly redirected to a newly registered domain that serves up an archive file containing the malicious executable.
Figure 11: Screenshot of the malicious fake ‘cracked game recording’ download prompt that delivers the malicious payload when user clicks to download the file.
Case 5: Parrot TDS fake updates malware
Parrot TDS is the fake update malware campaign, active since 2017, that works by injecting malicious JavaScript code into poorly secured content management systems CMS (i.e. Wordpress, Joomla), typically with weak admin passwords. In most cases Parrot TDS threat actors lure victims to download the infecting remote access tool file by displaying a notification that the user is missing critical browser updates. The Parrot TDS script also filters the users based on their IP addresses and user-agents. ThreatLabz recently observed that FIFA World Cup information sites are being targeted by this malware, as shown in the screenshot below.
Figure 12: Malicious Parrot TDS script injected in compromised Wordpress site.
Guidelines to protect against these attacks:
- Book FIFA World Cup airline tickets only from the authorized vendors and verified sites.
- For online streaming the World Cup matches only use the FIFA World Cup’s streaming partner’s website.
- Beware of fraudulent emails related to lottery or give away scams.
- Avoid downloading cracked software and games from untrusted websites.
- Don’t fall for exciting “too good to be true” offers from unknown sources, and be extremely wary of clicking on links or documents from these sources.
- Always make sure you are utilizing HTTPS/secure connections.
- Use two-factor authentication whenever possible, especially on sensitive accounts such as those used for banking.
- Always ensure that your operating system and web browser have the latest security patches installed.
- Backup your documents and media files - this is extremely important with ransomware infections.
Indicators of Compromise
Fake/ Scam websites
linkedin[.]com/pulse/official-fifa-world-cup-2022-live-micker-hukkker
fifaworldcupontv[.]blogspot[.]com
opensea[.]io/collection/fifa-world-cup-2022-qatar-vs-ecuador-watch-hd-onli
sportsevents4me[.]store
humourousretort[.]top
i13lc8k[.]cn
bestsports-stream[.]com
gatewaytoworld[.]com
Fifafootball[.]io
Fifa2022worldcup[.]net
Malicious samples
09FAF066833D24B049DBC3C824AE25E3
556858D3B8629407A65E2737C1DED5DC
277760FC389F8F21A50FB04D27519BEF
8C436293FD1221FAD3E48ECEDAE683A5
02E7CA1129049755697C8185AC8F98B9
D0DEE3AAC6A71AA9E9E4FC6E411574F0
3E74F0F073E296460C52EEE06E914B25
346E4B588F0A6EBE9E0E6B086D23E933
C87B80497B85B22BE53F52E0F2EBDF11
854D5DFE2D5193AA4150765C123DF8AD
Malicious URLs
eurotranslations[.]ie/wp-content/uploads/formidable/13/panini-world-cup-sticker-spreadsheet.pdf
wartimestac[.]site/Panini-World-Cup-Sticker-Spreadsheet/pdf/sitedomen/
ww16[.]rocklandbase[.]site
rocklandbase[.]site
xbitwiseacre[.]site
ww16[.]hornwien[.]site
hornwien[.]site
ww25[.]violentpreamps[.]site
violentpreamps[.]site
brazingonestop[.]site
ww6[.]brazingonestop[.]site
schemeresource[.]site
ww16[.]brazingonestop[.]site
karenstatus[.]site
ww16[.]followfoxconn[.]site
overadmit[.]site
earningsteel[.]site
ww16[.]hrslimwound[.]site
hrslimwound[.]site
ww38[.]violentpreamps[.]site
followfoxconn[.]site
ww16[.]idolwizardry[.]site
ww16[.]excitinghear[.]site
africanscientists[.]africa/wp-content/uploads/2022/07/kesfaus.pdf
arakusus[.]com/8c089e99b7202cce09c9fdc197d90c17waTJUERFj6tPQSyHT6Fi2fdM4hl9/clCEyFhwUkazz1uDE
brakenetic[.]com/wp-content/uploads/verowes.pdf
yzerfonteinaccommodation.co[.]za/wp-content/uploads/2022/07/Fifa_22_Product_Key_And_Xforce_Keygen___Free_Registration_Code_Free_For_Windows.pdf
sattology[.]org/wp-content/uploads/2022/07/Fifa_22_Patch_With_Serial_Key_MacWin.pdf
games-blacksoft[.]com/keygen-fifa-23-serial-number-key-crack-pc/
193.106.191[.]30/MicrosoftKeys.exe
193.56.146[.]168/del/lo2ma.exe
194.110.203[.]101/puta/softwinx86.exe
95.214.24[.]96/load.php?pub=mixinte
163.123.143[.]4/download/Service.bmp