Cybercriminals have been circling around the FIFA World Cup and its popularity like vultures. The tournament starts next week in Qatar, and its brand is being exploited by digital attackers, researchers say.
Digital Shadows, a cybersecurity company, asked its Photon Research Team to analyze how the Qatar 2022 World Cup, a hugely popular sporting event, is targeted by cybercriminals.
The findings are unsurprising: just like fans, cyber threat actors are highly interested in this tournament – for example, they impersonate official World Cup websites and mobile apps using malicious domains.
“The level of sophistication used by attackers to mimic the original domains varied greatly, ranging from low quality, obvious phishing pages to more refined efforts mimicking animations and logos,” the Digital Shadows report reads.
The Photon Research Team set up a detailed alert system to collect examples of cyber threats to the Qatar 2022 World Cup over the course of 90 days.
These potential incidents fall under four categories: brand protection, cyber threat, physical protection, and data leakage. Most incidents pertained to the cyber threat category and included malicious web pages, marketplace listings, and exposed files.
Impersonating domains are a popular choice among threat actors and a sort of prelude to more malicious operations – these can include stealing personally identifiable information, login credentials, and financial data. Criminals can also drop malware on victims’ devices.
Digital Shadows has found 174 malicious domains impersonating official websites belonging to the Qatar World Cup. Among these pages, a notable example was the qatar2022[.]pro impersonating domain – the attackers merely changed the top-level domain (TLD) to deceive users.
The qatar2022[.]pro is flagged as a phishing domain by multiple security providers. Still, it is a high-quality impersonating page, with many details closely resembling the original page.
Even if most links within the page are redirected to official World Cup pages, clicking within the chat box redirects to a malicious URL likely controlled by the attackers.
Initial access point
Of course, because FIFA (International Federation of Association Football), like most big organizations, has developed its own official mobile apps available across legitimate app stores, they are targeted, too.
“For every legitimate app developed by the World Cup organizers, there are dozens of fraudulent apps that are distributed via unofficial app stores. These malicious apps constitute a risk for customers and developers alike—and they can be easily found online using the most common search engines,” the report says.
Digital Shadows has identified 53 impersonating mobile apps over the past 30 days, and some are even available on sites like the Google Play store. The purpose of such scammers is to deceive users into downloading the apps.
Threat actors can use fraudulent mobile apps to install adware, steal personal information and financial data, extract cookies and credentials, and download further payloads, such as spyware, from a remote-controlled domain. These apps, again, act as an initial access point for attackers.
And then, of course, there are social media pages, visited every day by millions of internet users. The same obviously happens with global events such as the World Cup – fans flood the official pages to find out as much as possible about the venues, teams, or players.
The problem is that threat actors have created numerous fraudulent social media pages as well. The schemes are not especially cunning, but the potential to cause big damage certainly exists.
“In the past, security researchers observed APT groups using social media pages to spread disinformation and to gather sensitive information about targeted individuals. Additionally, the North Korean-sponsored APT Lazarus has repeatedly been caught targeting job seekers on LinkedIn with fraudulent job ads to trick them into clicking on malicious links,” Digital Shadows said.
“During our research we collected dozens of social media pages impersonating assets belonging to the Qatar 2022 World Cup. The majority of these pages host harmless content; however, we also identified multiple Facebook pages exploiting the Qatar 2022 World Cup brand and logos to spread scams such as pyramid schemes.”
Digital Shadows also found that, in social media, VIPs and executives can also be impersonated to conduct social engineering attacks. In the case of the Qatar World Cup, FIFA president Gianni Infantino was targeted.
The cybersecurity organization has been observing a significant resurgence in hacktivist operations, mostly due to Russia’s invasion of Ukraine. Unsurprisingly, several pro-Russian and pro-Ukrainian groups have been most active in conducting cyberattacks against their adversaries.
Both nations will not be represented in Qatar – FIFA banned Russia from participating in its tournaments, including the World Cup, while Ukraine didn’t qualify.
However, Digital Shadows still presume there’s a chance of hacktivists targeting the event. For example, the Iranian team has qualified for the World Cup – since Tehran is allegedly contributing to Moscow’s war effort, the tournament might suffer from cyber activity.
“Given the high level of activity carried out by hacktivist groups in 2022, it is realistically possible that said groups will target the 2022 Qatar World Cup to some extent. Hacktivist groups could target the organizers or the sponsors of the tournament, and may do so using DDoS, defacement, or data destruction attacks,” Digital Shadows said in its report.
Finally, Qatar struggles with protecting human rights, to say the least. For that reason alone, Qatari and foreign organizations responsible for organizing the World Cup may also be targeted with ransomware attacks, researchers say.
More from Cybernews:
Subscribe to our newsletter