Cybercriminals exploiting World Cup buzz to conduct malicious campaigns
The 22nd FIFA World Cup launched in Qatar on November 20th, 2022, with 32 teams battling for the trophy. With fans around the world excited about the World Cup and cheering on their favorite team, Threat Actors (TAs) are actively also taking advantage of it and using FIFA as a theme in their malicious campaigns targeting unsuspecting victims.
Cyble Research & Intelligence Labs (CRIL) has been continuously monitoring scams related to FIFA World Cup. There have been various scams exploiting the popularity of the FIFA World Cup, such as crypto phishing attempts using fake FIFA airdrops, selling fake tickets to users, fraudulent giveaways, malicious Android applications, an increase in FIFA betting sites, and many others.
Crypto/NFT fraud leveraging FIFA World Cup Theme
While monitoring phishing activity, we identified a few crypto phishing schemes involving the use of the FIFA World Cup theme to lure the victims. The phishing site “football-blnance[.]com” was pretending to be the Binance cryptocurrency website attempting to trick users into giving sensitive information by offering free Non-Fungible Tokens (NFTs).
When a user clicks on “Connect wallet” to claim the NFTs, the phishing site displays the QR code, and the user’s wallet account will be compromised upon scanning. The TA could steal sensitive information from the victim’s wallet.
In addition to the previously mentioned phishing site, CRIL identified another phishing site, “claim-fifa[.]live”, that is offering FIFA archive NFT packs as a part of its scam. As with the other phishing site, when the user clicks on the “CLAIM NFT PACKS” button, a QR code will appear to connect to the crypto wallet.
FIFA Scam Spreading Via WhatsApp Messages
Along with crypto phishing scams, we identified another scam circulating on WhatsApp, exploiting the popularity of the FIFA World Cup. Scammers are distributing messages on WhatsApp or social media, claiming FIFA is offering free 50GB data worldwide to watch the 2022 Qatar FIFA World Cup.
The message includes a link to a scam website, “hxxp://www.fifa-uj[.]top/” that asks for the user’s mobile number and verifies their eligibility for the free data, as shown in the figure below.
After validating the phone number, the scam website prompts users to forward the message to their WhatsApp contacts to claim a 50GB data offer. Scammers commonly use this tactic to spread their scam and trick more people into falling for it.
Once users finish forwarding WhatsApp messages, the scam website displays the mobile verification page and offers other gifts, such as iPhones, iPads, etc. Also, the scammer mentioned that users might have to download, install any application, fill out the survey, or do any other given task as a part of the phone verification process.
Threat Actor Distributing Redline Stealer Malware Disguised As FIFA Game
At the start of November 2022, CRIL uncovered a massive Youtube campaign targeting over 100 applications and delivering Info stealer. As the 22nd FIFA World Cup kicked off in Qatar, the same TA started targeting football fans by offering the cracked version of the FIFA 23 game.
We discovered that several YouTube channels had uploaded videos demonstrating how to download and install a pirated version of FIFA 23, along with download links to the software.
The download link “hxxps://www[.]playskeep.com/fifa-23” hosted the Redline stealer masqueraded as FIFA 13 cracked game. When a user clicks on the “FREE DOWNLOAD” button, the malicious website starts downloading the “FIFA 23 [Cracked].rar” file from the URL “hxxps://www.mediafire[.]com/file/sbw6cgg6cnwmipz/FIFA+23+【+CRACKED+】.rar/file”.
Android RAT Distributed Via Malicious Website Using FIFA World Cup Lure
Recently, ESET shared a tweet about a malicious Android RAT distributed via a malicious website. The TA behind this malware had created a Facebook page named “Kora 442”, where users could visit and download a malicious application from a distribution site.
The TA has linked the distribution link “hxxps://kora442[.].com” in the post on their Facebook page, mentioning “Follow the World Cup matches live on Kora 442 application” and prompting users to download the malicious application to enjoy watching matches. The distribution site is still active and infecting users with Android RAT.
After installation, the downloaded file “kora442” receives the commands from the Command and Control (C&C) server, as shown in Figure 11, and steals the information below from an infected device.
- Contact list
- SMS data
- Call logs
- Download payload on runtime
- Steals images and videos
- Files stored on infected devices
- WhatsApp and Messenger database if the device is rooted
- Take pictures
- Clipboard data
The malware fetches the C&C server URL from a variable “BBB,” which is saved in the Shared Preferences file “appPreferencess.xml” as shown below.
The RAT can also download additional payloads based on the commands received from the C&C server. Hence there is a chance that TA might use this RAT to perform other malicious activities on the victim’s device.
Threat Actors often take advantage of such global events or festive seasons to launch mass infection campaigns, and users may fall for these scams due to excitement and a lack of attention. As FIFA World Cup launches, CRIL observed various scams targeting users worldwide and distributing malware to steal sensitive information. It’s important to verify the legitimacy of websites before downloading files or submitting any sensitive information.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Avoid downloading files from unknown websites.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Deobfuscate/Decode Files or Information Virtualization/Sandbox Evasion Process Injection: Process Hollowing|
|Credentials from Password Stores Steal Web Session Cookies Unsecured Credentials Steal Application Access Token|
|Software Discovery System Time Discovery System Service Discovery|
|Command and Control||T1071||Application Layer Protocol|
|Initial Access||T1476||Deliver Malicious App via Other Means.|
|Capture SMS Messages Access Contacts List Access Call Logs Access Notifications Data from Local System Capture Audio|
Indicators of Compromise (IOCs)
|02cfa159f85e15bd24808859d6cbf1b8e8d21352e7290ba5477744f711bb752b||SHA256||Hash of malicious APK|
|9c904c821edaff095e833ee342aedfcaac337e04||SHA1||Hash of malicious APK|
|6905fac52473837ed4c548915b5c65a3||MD5||Hash of malicious APK|
|hxxps://kora442[.].com||URL||Android RAT Distribution URL|
|629a4c31ae491844997dacde42e85f1a8d632a1b599281d498660b8d9cb36bdd||SHA256||Hash of Redline Stealer RAR file|
|e5fa481e5590dd79b73ea483f987cc28afbc0ddb||SHA1||Hash of Redline Stealer RAR file|
|c285987ec716c444fcd7d4c17bb2fc54||MD5||Hash of Redline Stealer RAR file|
|football-blnance[.]com||URL||Crypto Phishing Domain|
|claim-fifa[.]live||URL||Crypto Phishing Domain|
|hxxp://www.fifa-uj[.]top||URL||WhatsApp Scam website|