2022 World Cup Cyber Threats

10889453457?profile=RESIZE_400xRecorded Future has shared information regarding potential threats to the 2022 World Cup soccer matches set in Qatar.  Email-based phishing attacks targeting the Middle East doubled in October in the lead up to the World Cup in Qatar, according to new research from Trellix.  Many of the emails purport to come from the FIFA help desk or ticketing office while some impersonate specific team managers and departments.  Others claim to be notifications about bans implemented by FIFA, or spoof Snoonu, the official food delivery partner of the World Cup.  Trellix researchers said the campaigns leverage customized web pages that appeared very genuine and a variety of malwares were included in the attacks.[1]  The goals of the cyberattacks include financial fraud, credential harvesting, data exfiltration, surveillance, and damage to a country or organization’s reputation.

Trellix provided a range of samples of the emails their researchers were seeing on a daily basis.  One email impersonates David Firisua, the team manager for Auckland City FC, seeking confirmation of a payment made to FIFA.  Many of the emails contain hyperlinks which take people to spoofed brand pages or phishing sites.  Some of the emails pretend to be legal notices regarding unpaid fees to FIFA.

10889453470?profile=RESIZE_400xThe Head of Threat Intelligence & Principal Engineer at Trellix, reported that they anticipate these attacks to continue through January 2023.  “In this instance, we found the attention to the details incorporated into the malicious URLs and customized web pages to be notable, allowing cybercriminals to successfully impersonate league staff and team managers,” he explained.  Trellix said the top five malware families it discovered targeting Middle Eastern countries currently included Qakbot, Emotet, Formbook, Remcos and QuadAgent.[2]

The goal of most of the malware strains is to steal confidential data or information, credentials or gain remote control of a device.

Cyber security research outfit Avanan, confirmed that they have also seen an influx of phishing emails related to the World Cup in a variety of different languages.  “One common thread is related to betting on the World Cup, trying to entice end-users to wager. Instead, the email and resulting link steals credentials,” they said.

ShadowDragon, told Recorded Future that the cyber threat of the World Cup is not much different than those associated with any global event, like the Olympics (Red Sky Alliance has previously tracked cyber threats and vulnerabilities for the 2016 and 2018 Olympics).  “There is always a rise in phishing and activity related to these events. Holding the World Cup in Qatar has been a hot-button political issue since its announcement. The event offers more fodder and content for spammers and phishers,” ShadowDragon said.  But they noted that there are several other threats facing those attending or watching the event, including overreach by the Qatar government through mandatory apps downloaded by attendees.

10889453294?profile=RESIZE_400xOfficials for the Dutch, German, French, and Norwegian governments have already told their citizens not to download Qatar’s World Cup apps, Ehteraz and Hayya, over privacy concerns.  German officials went so far as to suggest that citizens bring essentially a burner phone that has none of their personal information and wipe the device after the World Cup ends.  “You wouldn’t give a stranger the keys to your house but phone apps can unknowingly harvest detailed, personal information about those who use them,” said Keeper Security.  “It’s particularly concerning when a nation state is collecting unauthorized information through an app, or worse yet, remotely accessing a device.”

The CISO at Delinea said that during all major events, such as the upcoming World Cup in Qatar, they always see a major increase in cyber-crime targeting unsuspecting fans and followers.

Many fake, fraudulent websites, apps or emails that appear official will come loaded with an abundance of scams and these scams can result in stealing the victims credentials, passwords, credit card information, infecting their computer or smartphone with malicious software or even ransomware, Delinea explained.  These can lead the unknowing victim to spread malware to family and friends, losing sensitive data or a major financial impact. 

10889454458?profile=RESIZE_400x 

AN EXAMPLE OF A SPOOFED WEBSITE. IMAGE: RECORDED FUTURE

Recorded Future released a report last week that said while no imminent state-sponsored cyber operations have been identified, Russia “is an outlier and very likely harbors a strong set of grievances and thus motivation for targeting the 2022 FIFA World Cup.”  Russia may want to “embarrass Qatar as the host country for siding with the coalition of countries supporting Ukraine’s territorial integrity, as well as to retaliate for Russia being banned from participating in the tournament.”  Russian military hackers were previously implicated in the Pyeongchang cyber-attack that took place during the Olympics in February 2018, where Russian hackers deployed the OlympicDestroyer malware and damaged web servers during the opening ceremony.

In October 2020, the US Justice Department indicted six Russian intelligence operatives for the attack on the Pyeongchang Olympic Games.

The report notes that large international sporting events are also attractive targets for financially motivated cybercriminals.  “Tournament-related phishing attacks use various lures such as so-called ticket giveaways, free streaming services to watch games, fake betting websites, and tournament-adjacent items like visas and travel, hotel, and restaurant bookings,” the researchers said.  “Other cybercriminal threats include, but are not limited to: fake mobile applications around the event that can distribute malware and harvest user data; sales on dark web markets and shops for counterfeit tickets and compromised credentials; and as above, ransomware attacks that would likely seek to opportunistically target victims based on accessibility, opportunity, and factors such as the ability to pay large ransom amounts.”

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.    For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com      

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

[1] https://therecord.media/phishing-attacks-targeting-middle-east-countries-double-ahead-of-world-cup-report/

[2] https://www.trellix.com/en-us/about/newsroom/news/news-detail.html?news_id=906c2709-2aa5-4f62-94b8-85f18c9da901

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!