Cyble – Threat Actors Targeting Fans Amid FIFA World Cup Fever

Cybercriminals exploiting World Cup buzz to conduct malicious campaigns

The 22nd FIFA World Cup launched in Qatar on November 20th, 2022, with 32 teams battling for the trophy. With fans around the world excited about the World Cup and cheering on their favorite team, Threat Actors (TAs) are actively also taking advantage of it and using FIFA as a theme in their malicious campaigns targeting unsuspecting victims.

Cyble Research & Intelligence Labs (CRIL) has been continuously monitoring scams related to FIFA World Cup. There have been various scams exploiting the popularity of the FIFA World Cup, such as crypto phishing attempts using fake FIFA airdrops, selling fake tickets to users, fraudulent giveaways, malicious Android applications, an increase in FIFA betting sites, and many others.

Crypto/NFT fraud leveraging FIFA World Cup Theme

While monitoring phishing activity, we identified a few crypto phishing schemes involving the use of the FIFA World Cup theme to lure the victims. The phishing site “football-blnance[.]com” was pretending to be the Binance cryptocurrency website attempting to trick users into giving sensitive information by offering free Non-Fungible Tokens (NFTs).

When a user clicks on “Connect wallet” to claim the NFTs, the phishing site displays the QR code, and the user’s wallet account will be compromised upon scanning. The TA could steal sensitive information from the victim’s wallet.

In addition to the previously mentioned phishing site, CRIL identified another phishing site, “claim-fifa[.]live”, that is offering FIFA archive NFT packs as a part of its scam. As with the other phishing site, when the user clicks on the “CLAIM NFT PACKS” button, a QR code will appear to connect to the crypto wallet.

FIFA Scam Spreading Via WhatsApp Messages

Along with crypto phishing scams, we identified another scam circulating on WhatsApp, exploiting the popularity of the FIFA World Cup. Scammers are distributing messages on WhatsApp or social media, claiming FIFA is offering free 50GB data worldwide to watch the 2022 Qatar FIFA World Cup.

The message includes a link to a scam website, “hxxp://www.fifa-uj[.]top/” that asks for the user’s mobile number and verifies their eligibility for the free data, as shown in the figure below.

After validating the phone number, the scam website prompts users to forward the message to their WhatsApp contacts to claim a 50GB data offer. Scammers commonly use this tactic to spread their scam and trick more people into falling for it.

Once users finish forwarding WhatsApp messages, the scam website displays the mobile verification page and offers other gifts, such as iPhones, iPads, etc. Also, the scammer mentioned that users might have to download, install any application, fill out the survey, or do any other given task as a part of the phone verification process.

Threat Actor Distributing Redline Stealer Malware Disguised As FIFA Game

At the start of November 2022, CRIL uncovered a massive Youtube campaign targeting over 100 applications and delivering Info stealer. As the 22^nd FIFA World Cup kicked off in Qatar, the same TA started targeting football fans by offering the cracked version of the FIFA 23 game.

We discovered that several YouTube channels had uploaded videos demonstrating how to download and install a pirated version of FIFA 23, along with download links to the software.

The download link “hxxps://www[.]playskeep.com/fifa-23” hosted the Redline stealer masqueraded as FIFA 13 cracked game. When a user clicks on the “FREE DOWNLOAD” button, the malicious website starts downloading the “FIFA 23 [Cracked].rar” file from the URL “hxxps://www.mediafire[.]com/file/sbw6cgg6cnwmipz/FIFA+23+【+CRACKED+】.rar/file”.

Android RAT Distributed Via Malicious Website Using FIFA World Cup Lure

Recently, ESET shared a tweet about a malicious Android RAT distributed via a malicious website. The TA behind this malware had created a Facebook page named “Kora 442”, where users could visit and download a malicious application from a distribution site.

The TA has linked the distribution link “hxxps://kora442[.].com” in the post on their Facebook page, mentioning “Follow the World Cup matches live on Kora 442 application” and prompting users to download the malicious application to enjoy watching matches. The distribution site is still active and infecting users with Android RAT.

After installation, the downloaded file “kora442” receives the commands from the Command and Control (C&C) server, as shown in Figure 11, and steals the information below from an infected device.

• Contact list
• SMS data
• Call logs
• Location
• Download payload on runtime
• Steals images and videos
• Files stored on infected devices
• WhatsApp and Messenger database if the device is rooted
• Take pictures
• Clipboard data
• Thumbnails

The malware fetches the C&C server URL from a variable “BBB,” which is saved in the Shared Preferences file “appPreferencess.xml” as shown below.

The RAT can also download additional payloads based on the commands received from the C&C server. Hence there is a chance that TA might use this RAT to perform other malicious activities on the victim’s device.

Conclusion

Threat Actors often take advantage of such global events or festive seasons to launch mass infection campaigns, and users may fall for these scams due to excitement and a lack of attention. As FIFA World Cup launches, CRIL observed various scams targeting users worldwide and distributing malware to steal sensitive information. It’s important to verify the legitimacy of websites before downloading files or submitting any sensitive information.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

• Avoid downloading files from unknown websites.
• Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
• Refrain from opening untrusted links and email attachments without first verifying their authenticity.
• Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
• Monitor the beacon on the network level to block data exfiltration by malware or TAs.
• Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
• Download and install software only from official app stores like Google Play Store or the iOS App Store.
• Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
• Use strong passwords and enforce multi-factor authentication wherever possible.
• Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
• Be wary of opening any links received via SMS or emails delivered to your phone.
• Ensure that Google Play Protect is enabled on Android devices.
• Be careful while enabling any permissions.
• Keep your devices, operating systems, and applications updated.

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs)

Related

Source: https://blog.cyble.com/2022/12/09/threat-actors-targeting-fans-amid-fifa-world-cup-fever/