Zscaler ThreatLabz is always on the lookout for threat actors trying to take advantage of major world news and events. The FIFA World Cup 2022 has brought with it a spike in cyber attacks targeting football fans through fake streaming sites and lottery scams, leveraging the rush and excitement around these uncommon events to infect users with malware. Similar to the rise in sites and cyber attacks observed in 2020 during the Tokyo Olympics, recently ThreatLabz has observed an increase in newly registered domains related to the FIFA World Cup. Not all of these domains are malicious, but as defenders it is important that we classify all newly registered domains as suspicious and conduct analysis to weed out hidden offenders.
Below is an overview of the traffic trends and cyber attack campaigns observed around the upcoming FIFA World Cup event.
As the FIFA World Cup started ThreatLabz saw a significant increase in the number of streaming transactions starting on November 21st.
Case Study 1 : Fake streaming sites
ThreatLabz observed a spike in fake streaming sites and other scam sites that claim to be offering free streaming of the FIFA World Cup matches but instead redirect users and then prompts them to enter payment card details. Similar templates for fake streaming sites appeared in 2020 during the Tokyo Olympics. In most of the current and past cases observed by the researchers, newly registered domains are used to host the scam sites but in a few examples legitimate established sites like Xiaomi, Reddit, OpenSea, and LinkedIn host fake links that redirect to the malicious sites.
Figure 1: Fake streaming site link posted on a Linkedin profile and the redirected fake site.
In the campaign shown above, victims are enticed to visit a malicious site claiming to provide live streaming of the FIFA World Cup 2022 opening ceremony. The site then redirects to a fake streaming site hosted on Blogspot and users are prompted to create an account for free access to watch the live streaming event. In another example, a link to a fake streaming site hosted on OpenSea does the same thing.
Figure 2: Screenshots showing fake streaming site and related link posted on OpenSea.
As the user enters their email address and password credentials to create a new account, they undergo multiple redirects which finally land them on a YouTube video.
Figure 3: Redirection chain.
Visitors to many of these fake streaming sites are prompted to provide payment card details within form templates similar to the one seen below.
Figure 4: Fake streaming site payment page.
Case 2: FIFA WorldCup related scams
As the FIFA World Cup kicked off, researchers observed a rapid rise in threats and scam sites related to the event. Many newly registered sites offering World Cup tickets are being hosted by scammers trying to trick users into paying for fake tickets. The threat actors behind these scam sites are typically trying to collect fake ticket fees or steal payment card details. In the example shown below, a suspicious pop-up site offering World Cup match tickets was recently registered on Nov 15th. Due to the high number of scams like this one, many organizations select to block, limit, or analyze newly registered domains, categorized as less than 10 days old.
Figure 5: Fake FIFA match ticket site.
These ongoing scams are not limited to the World Cup match tickets but instead extend to many aspects of the ongoing FIFA World Cup fever. ThreatLabz has also observed a scam where users are offered prize money and airline tickets by Qatar Airways. The domain for the related scam site, shown in the screenshot below, was registered on Nov 11th, this timing suggests to researchers that the attackers behind this attack site are targeting World Cup fans.
Figure 6: Scam website with fake Qatar airline lottery message.
Attackers are also seen targeting users by sending fake lottery emails and pretending to be a Qatar FIFA World Cup 2022 lottery committee. Below is one such email which has an attached PDF with the lottery details.
Figure 7: Scam email imitating the FIFA organizing committee.
In this scam, an email with a PDF attachment identifies the target victim as the prize winner of a large lottery drawing. Users are asked to open the attachment and send their personal details to claim the award money.
Figure 8: PDF file attached to the scam email.
Case 3: SolarMarker malware activity
SolarMarker is a well-known malware family with infostealer capabilities that use Search Engine Optimization (SEO) manipulation techniques to lure in victims and deliver the initial payload. Most commonly, ThreatLabz researchers have observed these attackers hosting the malicious PDF files on compromised Wordpress sites with discoverable URLs and search engine results. ThreatLabz observed a few cases where SolarMarker is targeting the football fans trying to buy WorldCup stickers from compromised ecommerce sites. When the user clicks to download one of these fake PDFs they are automatically redirected to a hacker controlled site that delivers the malicious Microsoft's Windows Installer (MSI) service payload to perform the rest of the attack.
Figure 9: Malicious PDF file hosted on the compromised site.
Case 4: Fake cracked FIFA game distributing infostealer through PDF
Attackers are using malicious PDF files hosted on compromised websites to deliver infostealers by luring users to download what they think is an illegally cracked recording of the FIFA games. In August, ThreatLabz observed a similar threat campaign for fake pirated software downloads, but in comparison, these new discoveries feature several enhancements along with the use of malicious PDFs. Notably, these attackers are also using SEO manipulation techniques to list the malicious PDF links in ‘cracked FIFA games’ search engine results. As noted in the August threat campaign, one of the key characteristics of these threats is that they target victims that are doing something they shouldn’t be - like searching for versions of pirated software and cracked games that require payment for legitimate access. Targeting this type of fringe risk-taking behavior by users definitely gives attackers an advantage, because victims are already expecting a shady and unfamiliar site run by hackers. Additionally, the ability to verify the safety of a site, link, or file is beyond the technical capabilities for most general visitors.
Figure 10: Malicious PDF file that downloads malware.
As the user clicks to download the PDF, they are instantly redirected to a newly registered domain that serves up an archive file containing the malicious executable.
Figure 11: Screenshot of the malicious fake ‘cracked game recording’ download prompt that delivers the malicious payload when user clicks to download the file.
Case 5: Parrot TDS fake updates malware
Figure 12: Malicious Parrot TDS script injected in compromised Wordpress site.
Guidelines to protect against these attacks:
Indicators of Compromise
Fake/ Scam websites