Scammers on the pitch: Group-IB identifies online threats to fans at FIFA World Cup 2022 in Qatar

Group-IB, one of the global leaders in cybersecurity, has identified multiple scam and phishing attacks targeting users looking for tickets, official merchandise, and jobs at the FIFA World Cup 2022 in Qatar.

Ahead of the tournament, which kicked off on November 20, 2022, researchers from the Group-IB Digital Risk Protection team detected more than 16,000 scam domains, and dozens of fake social media accounts, advertisements, and mobile applications created by scammers aiming to capitalize on the huge global interest in the largest global event for football lovers. Group-IB’s sector-leading Threat Intelligence also helped to uncover more than 90 potentially compromised accounts on official FIFA World Cup 2022 fan portals.

To assist in efforts to take down the scam sites and protect fans from the attacks of scammers, Group-IB shared all its findings with INTERPOL, in line with the company’s long-standing cooperation with INTERPOL over the safety and security of major events. Additionally, the Group-IB Computer Emergency Response Team (CERT-GIB) shared its findings into the potentially compromised accounts on the World Cup fan portal with the Qatar Computer Emergency Response Team (Q-CERT), a fellow OIC-CERT member.

Professional foul

According to an independent survey conducted by TGM Research, an estimated 1.08 billion people are expected to watch the action from the FIFA World Cup 2022 in Qatar, the 22nd edition of the international football championship contested by the men’s national teams of FIFA member nations. Scammers have not failed to jump on the gigantic interest in the tournament from fans and those looking to work at the tournament by creating fake sites with the aim of stealing money and personal information from unsuspecting victims.

During Group-IB’s research into scams that are accompanying the ongoing tournament, CERT-GIB leveraged Group-IB’s Threat Intelligence capabilities to detect more than 90 potentially compromised accounts on Qatar 2022’s official Fan ID portal Hayya. According to Group-IB’s findings, the passwords to these accounts were stolen by threat actors who leveraged easily available info-stealing malware such as RedLine and Erbium.

Group-IB analysts also identified 4 different waves of scam and phishing attacks, along with a host of fake applications available for download from the Google Play Store that cybercriminals could potentially leverage to steal the banking or account credentials of users.

Shirt off his back

One scam scheme identified in this research saw scammers create a fake merchandise website and place more than 130 advertisements on social media marketplaces in an attempt to drive traffic to the site. This website offers consumers branded t-shirts of the national teams participating in Qatar 2022, and users are asked to enter their bank card details or transfer money through payment systems displayed on the fake site in order to purchase a shirt.

In the end, the consumer will never receive their national team t-shirt. Instead, the scammers will either receive the money from the transaction or, in some cases, get the banking credentials of the user, which they can then use to make a host of fraudulent transactions. CERT-GIB, which harnesses Group-IB’s patented anti-phishing technologies, will continue to monitor this resource, and share its findings with INTERPOL.

Tickets for the big game

Scammers also targeted those looking to purchase tickets for the games at the FIFA World Cup 2022. To make this discovery, Group-IB tracked 5 websites and more than 50 social media accounts registered no earlier than September 2022 containing mentions of “FIFA”, “World Cup” and “tickets.”

On the phishing websites, users who have been tricked into thinking that they are purchasing official tickets are asked to enter their bank card details or transfer money through the payment gateway provided on the website. Scammers will either receive the funds from the transaction, or in some cases, they steal the bank card details of the user, who will not receive any tickets.

On the fake social media pages, users are diverted to chats with the scammers in WhatsApp or Facebook Messenger. The scammers ask users for their personal information and pressure them to transfer money for fake tickets.

Scammers also created roughly 40 fake applications in the Google Play Store that are available for download. These applications promise users access to tickets from the games. The applications utilize the FIFA World Cup 2022 brand to confuse users and get them to download the fake application.

In the app, users are prompted to enter their personal information, and when they attempt to purchase what they believe to be tickets for the games, the scammers can either harvest the victims’ bank card credentials or, in some cases, the victims are asked to transfer money directly.

Off the bench

Scammers also had those looking to find work at the World Cup in their sights. Group-IB identified 5 scam websites with keywords such as “job” and “Qatar”, and then utilized the official tournament logo as a means of building credibility in the eyes of internet users. The threat actors also created more than 30 pages on social networks to promote links to their scam pages.

This scam campaign is a ploy to steal victims’ personal data, including their full name, country, phone number, and information about their education. Group-IB believes that this data may be used in future social engineering attacks to steal money or bank card details from victims.

Surveying the field

In another scam scheme, threat actors leveraged not only the likeness of the FIFA World Cup 2022 in Qatar, as a leading Qatari petrochemical company was also impersonated. In total, Group-IB identified and analyzed more than 16,000 fake surveys impersonating several large brands, including thousands that used the branding of the FIFA World Cup in Qatar. In this instance, the scammers created fake forms promising those who complete the survey a FIFA World Cup celebration gift from the petrochemical company as a ploy to steal personal data from potential victims.

Those who fill out the survey are asked for their personal information, including full name, email, home address, and phone number to receive what they think will be a prize. After doing this, users are also asked to share the link to the scam site via WhatsApp to 5-10 groups or 20-30 contacts.

In line with Group-IB’s zero-tolerance policy towards cybercrime, CERT-GIB and the Group-IB Digital Risk Protection team will continue to monitor the development of scams targeting fans of the FIFA World Cup 2022 in Qatar and share its research with INTERPOL and Q-CERT to aid any mitigation efforts.

“Threat actors have a track record of trying to cash in on major events, especially those in the sporting world. The aim of this research was to raise awareness of the multiple different types of scams that users may be confronted with throughout the World Cup, and we urge internet users to be on high alert and double check any domain that they encounter on social media or through messengers,”

To protect themselves from the attacks of scammers throughout the event, users should be extra vigilant and double check that they are accessing official tournament websites and social media pages before making contact and entering any personal or payment details. Users should also be cautious when following links that allegedly lead to the website of a specific company and check the URL, as scammers frequently use domain names that look similar to existing brand names in order to trick internet users into submitting sensitive data.


Source: Group-ib