Cybercriminals exploiting World Cup buzz to conduct malicious campaigns
The 22nd FIFA World Cup launched in Qatar on November 20th, 2022, with 32 teams battling for the trophy. With fans around the world excited about the World Cup and cheering on their favorite team, Threat Actors (TAs) are actively also taking advantage of it and using FIFA as a theme in their malicious campaigns targeting unsuspecting victims.
Cyble Research & Intelligence Labs (CRIL) has been continuously monitoring scams related to FIFA World Cup. There have been various scams exploiting the popularity of the FIFA World Cup, such as crypto phishing attempts using fake FIFA airdrops, selling fake tickets to users, fraudulent giveaways, malicious Android applications, an increase in FIFA betting sites, and many others.
Crypto/NFT fraud leveraging FIFA World Cup Theme
While monitoring phishing activity, we identified a few crypto phishing schemes involving the use of the FIFA World Cup theme to lure the victims. The phishing site “football-blnance[.]com” was pretending to be the Binance cryptocurrency website attempting to trick users into giving sensitive information by offering free Non-Fungible Tokens (NFTs).
![Figure 1 – Phishing site offering NFT using a football theme](https://i0.wp.com/cyble.com/wp-content/uploads/2022/12/Figure-1-–-Phishing-site-offering-NFT-using-a-football-theme.png?resize=1024%2C445&ssl=1)
When a user clicks on “Connect wallet” to claim the NFTs, the phishing site displays the QR code, and the user’s wallet account will be compromised upon scanning. The TA could steal sensitive information from the victim’s wallet.
![Figure 2 – QR code displayed by phishing sites](https://i0.wp.com/cyble.com/wp-content/uploads/2022/12/Figure-2-–-QR-code-displayed-by-phishing-sites.png?resize=713%2C626&ssl=1)
In addition to the previously mentioned phishing site, CRIL identified another phishing site, “claim-fifa[.]live”, that is offering FIFA archive NFT packs as a part of its scam. As with the other phishing site, when the user clicks on the “CLAIM NFT PACKS” button, a QR code will appear to connect to the crypto wallet.
![Figure 3 – Phishing site offering fake NFT drops](https://i0.wp.com/cyble.com/wp-content/uploads/2022/12/Figure-3-–-Phishing-site-offering-fake-NFT-drops.png?resize=752%2C418&ssl=1)
FIFA Scam Spreading Via WhatsApp Messages
Along with crypto phishing scams, we identified another scam circulating on WhatsApp, exploiting the popularity of the FIFA World Cup. Scammers are distributing messages on WhatsApp or social media, claiming FIFA is offering free 50GB data worldwide to watch the 2022 Qatar FIFA World Cup.
![Figure 4 – WhatsApp message claiming FIFA giving 50BG data](https://i0.wp.com/cyble.com/wp-content/uploads/2022/12/Figure-4-–-WhatsApp-message-claiming-FIFA-giving-50BG-data.png?resize=364%2C519&ssl=1)
The message includes a link to a scam website, “hxxp://www.fifa-uj[.]top/” that asks for the user’s mobile number and verifies their eligibility for the free data, as shown in the figure below.
![Figure 5 – FIFA scam site offering free 50GB data](https://i0.wp.com/cyble.com/wp-content/uploads/2022/12/Figure-5-–-FIFA-scam-site-offering-free-50GB-data.png?resize=752%2C516&ssl=1)
After validating the phone number, the scam website prompts users to forward the message to their WhatsApp contacts to claim a 50GB data offer. Scammers commonly use this tactic to spread their scam and trick more people into falling for it.
![Figure 6 – Scam website prompting users to forward messages to their WhatsApp contacts](https://i0.wp.com/cyble.com/wp-content/uploads/2022/12/Figure-6-–-Scam-website-prompting-users-to-forward-messages-to-their-WhatsApp-contacts.png?resize=752%2C502&ssl=1)
Once users finish forwarding WhatsApp messages, the scam website displays the mobile verification page and offers other gifts, such as iPhones, iPads, etc. Also, the scammer mentioned that users might have to download, install any application, fill out the survey, or do any other given task as a part of the phone verification process.
![Figure 7 – Scammer prompting user verification methods.](https://i0.wp.com/cyble.com/wp-content/uploads/2022/12/Figure-7-–-Scammer-prompting-user-verification-methods..png?resize=752%2C508&ssl=1)
Threat Actor Distributing Redline Stealer Malware Disguised As FIFA Game
At the start of November 2022, CRIL uncovered a massive Youtube campaign targeting over 100 applications and delivering Info stealer. As the 22nd FIFA World Cup kicked off in Qatar, the same TA started targeting football fans by offering the cracked version of the FIFA 23 game.
We discovered that several YouTube channels had uploaded videos demonstrating how to download and install a pirated version of FIFA 23, along with download links to the software.
![Figure 8 – Youtube videos about the cracked FIFA 23 game with a download link](https://i0.wp.com/cyble.com/wp-content/uploads/2022/12/Figure-8-–-Youtube-videos-about-the-cracked-FIFA-23-game-with-a-download-link.png?resize=752%2C262&ssl=1)
The download link “hxxps://www[.]playskeep.com/fifa-23” hosted the Redline stealer masqueraded as FIFA 13 cracked game. When a user clicks on the “FREE DOWNLOAD” button, the malicious website starts downloading the “FIFA 23 [Cracked].rar” file from the URL “hxxps://www.mediafire[.]com/file/sbw6cgg6cnwmipz/FIFA+23+【+CRACKED+】.rar/file”.
![Figure 9 – Malicious website downloading Redline Stealer](https://i0.wp.com/cyble.com/wp-content/uploads/2022/12/Figure-9-–-Malicious-website-downloading-Redline-Stealer.png?resize=752%2C378&ssl=1)
Android RAT Distributed Via Malicious Website Using FIFA World Cup Lure
Recently, ESET shared a tweet about a malicious Android RAT distributed via a malicious website. The TA behind this malware had created a Facebook page named “Kora 442”, where users could visit and download a malicious application from a distribution site.
![Figure 10 – Facebook page spreading Android RAT Source ESET](https://i0.wp.com/cyble.com/wp-content/uploads/2022/12/Figure-10-–-Facebook-page-spreading-Android-RAT-Source-ESET.png?resize=752%2C605&ssl=1)
The TA has linked the distribution link “hxxps://kora442[.].com” in the post on their Facebook page, mentioning “Follow the World Cup matches live on Kora 442 application” and prompting users to download the malicious application to enjoy watching matches. The distribution site is still active and infecting users with Android RAT.
![Figure 11 – Malicious website distributing Android RAT](https://i0.wp.com/cyble.com/wp-content/uploads/2022/12/Figure-11-–-Malicious-website-distributing-Android-RAT.png?resize=752%2C542&ssl=1)
After installation, the downloaded file “kora442” receives the commands from the Command and Control (C&C) server, as shown in Figure 11, and steals the information below from an infected device.
- Contact list
- SMS data
- Call logs
- Location
- Download payload on runtime
- Steals images and videos
- Files stored on infected devices
- WhatsApp and Messenger database if the device is rooted
- Take pictures
- Clipboard data
- Thumbnails
![Figure 12 – Malware receiving commands from the CC server](https://i0.wp.com/cyble.com/wp-content/uploads/2022/12/Figure-12-–-Malware-receiving-commands-from-the-CC-server.png?resize=752%2C516&ssl=1)
The malware fetches the C&C server URL from a variable “BBB,” which is saved in the Shared Preferences file “appPreferencess.xml” as shown below.
![Figure 13 – Malware storing CC server URL in Shared Preference file](https://i0.wp.com/cyble.com/wp-content/uploads/2022/12/Figure-13-–-Malware-storing-CC-server-URL-in-Shared-Preference-file.png?resize=752%2C264&ssl=1)
The RAT can also download additional payloads based on the commands received from the C&C server. Hence there is a chance that TA might use this RAT to perform other malicious activities on the victim’s device.
Conclusion
Threat Actors often take advantage of such global events or festive seasons to launch mass infection campaigns, and users may fall for these scams due to excitement and a lack of attention. As FIFA World Cup launches, CRIL observed various scams targeting users worldwide and distributing malware to steal sensitive information. It’s important to verify the legitimacy of websites before downloading files or submitting any sensitive information.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Avoid downloading files from unknown websites.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
MITRE ATT&CK® Techniques
Tactic | Technique ID | Technique Name |
Initial Access | T1566 | Phishing |
Execution | T1204 | User execution |
Defense Evasion | T1140 T1497 T1055.012 |
Deobfuscate/Decode Files or Information Virtualization/Sandbox Evasion Process Injection: Process Hollowing |
Credential Access | T1555 T1539 T1552 T1528 |
Credentials from Password Stores Steal Web Session Cookies Unsecured Credentials Steal Application Access Token |
Discovery | T1518 T1124 T1007 |
Software Discovery System Time Discovery System Service Discovery |
Command and Control | T1071 | Application Layer Protocol |
Initial Access | T1476 | Deliver Malicious App via Other Means. |
Collection | T1412 T1432 T1433 T1517 T1533 T1429 |
Capture SMS Messages Access Contacts List Access Call Logs Access Notifications Data from Local System Capture Audio |
Indicators of Compromise (IOCs)
Indicators | Indicator Type | Description |
02cfa159f85e15bd24808859d6cbf1b8e8d21352e7290ba5477744f711bb752b | SHA256 | Hash of malicious APK |
9c904c821edaff095e833ee342aedfcaac337e04 | SHA1 | Hash of malicious APK |
6905fac52473837ed4c548915b5c65a3 | MD5 | Hash of malicious APK |
hxxps://kora442[.].com | URL | Android RAT Distribution URL |
hxxps://firebaseconnections[.]com/backendNew/public/api/ | URL | C&C server |
629a4c31ae491844997dacde42e85f1a8d632a1b599281d498660b8d9cb36bdd | SHA256 | Hash of Redline Stealer RAR file |
e5fa481e5590dd79b73ea483f987cc28afbc0ddb | SHA1 | Hash of Redline Stealer RAR file |
c285987ec716c444fcd7d4c17bb2fc54 | MD5 | Hash of Redline Stealer RAR file |
hxxps://www.playskeep[.]com/fifa-23 | URL | Distribution Site |
football-blnance[.]com | URL | Crypto Phishing Domain |
claim-fifa[.]live | URL | Crypto Phishing Domain |
hxxp://www.fifa-uj[.]top | URL | WhatsApp Scam website |
Related
Source: https://blog.cyble.com/2022/12/09/threat-actors-targeting-fans-amid-fifa-world-cup-fever/