FC Barcelona’s official website exploited for fraud


FC Barcelona, Europe‘s top football club, had its official website used by scammers in a third-party fraud.

While scammers usually impersonate famous brands by creating fraudulent links, FC Barcelona‘s official website suffered from a more sophisticated attack. According to ad fraud monitoring platform Adex, malign actors used FC Barcelona‘s website domain to increase traffic to a likely fraudulent iGaming website.

FC Barcelona is a major European football club and one of the most valuable sports teams in the world, with an estimated worth of over $4.7 billion. Data from website monitoring service Similarweb shows that FC Barcelona’s official website has 5.4m monthly visitors and ranks among the most visited football clubs.

ADVERTISEMENT
FC Barcelona official website
Fraudulent use of FC Barcelona's official website. Image by Adex.

On November 16, Adex discovered a suspicious-looking link leading to the official website of the Catalonian football team. Since the link with FC Barcelona’s official website subdomain led to an online gambling site likely meant for the Indonesian market, the company investigated the case manually.

Analysis showed a mismatch between nameserver (NS) record in the second and third-level domains. While the official website was hosted on Amazon Web Services (AWS), the NS records of the investigated subdomain were on Google Cloud DNS.

“Usually, criminals mimic popular or authoritative websites by switching a letter or two in the domain name or copying the interface’s design. It’s a bold move to hijack a subdomain of a club loved by many and use their good name to deceive users,” Adex anti-fraud experts said in a blog post.

The company believes the club didn’t notice the suspicious activity because the subdomain was not indexed by Google, and there was no traffic spike since the fraudulent subdomain was hosted on a different server.

The ad company was banned, and the company notified FC Barcelona about the issue.

ADVERTISEMENT