Example of a fake ticket phishing site.

Scammers targeting FIFA World Cup 2022 in Qatar exposed

Scammers and cybercriminals continue to wreak havoc whenever there is a major sporting event taking place. Be it the FIFA World Cup, the Olympics, or even interstate bowling tournaments, there will always be opportunities for scammers to prey on victims.

Most of these scams and phishing campaigns typically prey on the vulnerable and those desperate enough to be part of the event. This includes the sales of fake merchandise products, fake match tickets and even fake events that scammers claim to be legitimate. Apart from that, some scammers also target those looking for employment through job scams.

Researchers from the Group-IB Digital Risk Protection team detected more than 16,000 scam domains, and dozens of fake social media accounts, advertisements, and mobile applications created by scammers aiming to capitalize on the huge global interest in the largest global event for football lovers – the FIFA World Cup 2022. Group-IB’s sector-leading Threat Intelligence also helped to uncover more than 90 potentially compromised accounts on official FIFA World Cup 2022 fan portals.

The Group-IB Computer Emergency Response Team not only shared its findings into the potentially compromised accounts on the World Cup fan portal with INTERPOL but with the Qatar Computer Emergency Response Team, a fellow OIC-CERT member.

The more than 90 potentially compromised accounts on Qatar 2022’s official Fan ID portal Hayya discovered showed that the passwords to these accounts were stolen by threat actors who leveraged easily available info-stealing malware such as RedLine and Erbium.

Example of scam website purporting to be selling official FIFA World Cup 2022 merchandise.

Group-IB analysts also identified four different waves of scam and phishing attacks, along with a host of fake applications available for download from the Google Play Store that cybercriminals could potentially leverage to steal the banking or account credentials of users. They include:

Shirt off his back – A fake merchandise website and place more than 130 advertisements on social media marketplaces to drive traffic to the site. This website offers consumers branded t-shirts of the national teams participating in Qatar 2022, and users are asked to enter their bank card details or transfer money through payment systems displayed on the fake site to purchase a shirt but will never receive their national team t-shirt upon purchase.

Instead, the scammers will either receive the money from the transaction or, in some cases, get the banking credentials of the user, which they can then use to make a host of fraudulent transactions. CERT-GIB, which harnesses Group-IB’s patented anti-phishing technologies, will continue to monitor this resource, and share its findings with INTERPOL.

Tickets for the big game – Scammers also targeted those looking to purchase tickets for the games at the FIFA World Cup 2022. Group-IB tracked 5 websites and more than 50 social media accounts registered no earlier than September 2022 containing mentions of “FIFA”, “World Cup” and “tickets.” On the phishing websites, users who have been tricked into thinking that they are purchasing official tickets are asked to enter their bank card details or transfer money through the payment gateway provided on the website. Scammers will either receive the funds from the transaction, or in some cases, they steal the bank card details of the user, who will not receive any tickets.

On the fake social media pages, users are diverted to chats with the scammers in WhatsApp or Facebook Messenger. The scammers ask users for their personal information and pressure them to transfer money for fake tickets. Scammers also created roughly 40 fake applications in the Google Play Store that are available for download. These applications promise users access to tickets from the games. The applications utilize the FIFA World Cup 2022 brand to confuse users and get them to download the fake application.

Example of a social media account advertising fake tickets.

Off the bench – Scammers also had those looking to find work at the World Cup in their sights. Group-IB identified 5 scam websites with keywords such as “job” and “Qatar”, and then utilized the official tournament logo as a means of building credibility in the eyes of internet users. The threat actors also created more than 30 pages on social networks to promote links to their scam pages. This scam campaign is a ploy to steal victims’ personal data, including their full name, country, phone number, and information about their education. Group-IB believes that this data may be used in future social engineering attacks to steal money or bank card details from victims.

Surveying the field – In another scam scheme, threat actors leveraged not only the likeness of the FIFA World Cup 2022 in Qatar, as a leading Qatari petrochemical company was also impersonated. In total, Group-IB identified and analyzed more than 16,000 fake surveys impersonating several large brands, including thousands that used the branding of the FIFA World Cup in Qatar. In this instance, the scammers created fake forms promising those who complete the survey a FIFA World Cup celebration gift from the petrochemical company as a ploy to steal personal data from potential victims.

“Threat actors have a track record of trying to cash in on major events, especially those in the sporting world. The aim of this research was to raise awareness of the multiple different types of scams that users may be confronted with throughout the World Cup, and we urge internet users to be on high alert and double check any domain that they encounter on social media or through messengers,” Sharef Hlal, Group-IB’s Head of Digital Risk Protection Analytics Team, Middle East and Africa, said.

To protect themselves from the attacks of scammers throughout the event, users should be extra vigilant and double check that they are accessing official tournament websites and social media pages before making contact and entering any personal or payment details. Users should also be cautious when following links that allegedly lead to the website of a specific company and check the URL, as scammers frequently use domain names that look similar to existing brand names in order to trick internet users into submitting sensitive data.