Scammers targeting Qatar World Cup craze to steal fans’ money: Report

Group-IB, one of the global leaders in cybersecurity, has identified multiple scams and phishing attacks targeting users looking for tickets, official merchandise, and jobs at the FIFA World Cup 2022 in Qatar. 

Ahead of the tournament researchers from the Group-IB Digital Risk Protection team detected more than 16,000 scam domains, and dozens of fake social media accounts, advertisements, and mobile applications created by scammers aiming to capitalise on the huge global interest in the largest global event for football lovers, reads a press release Tuesday (29 November).

To assist in efforts to take down the scam sites and protect fans from the attacks of scammers, Group-IB shared all its findings with Interpol.

Professional foul

Scammers are targeting fans and those looking to work at the tournament by creating fake sites with the aim of stealing money and personal information from unsuspecting victims.

During Group-IB's research into scams that are accompanying the ongoing tournament, CERT-GIB leveraged Group-IB's Threat Intelligence capabilities to detect more than 90 potentially compromised accounts on Qatar 2022's official Fan ID portal Hayya. 

According to Group-IB's findings, the passwords to these accounts were stolen by threat actors who leveraged easily available info-stealing malware such as RedLine and Erbium.

Group-IB analysts also identified four different waves of scam and phishing attacks, along with a host of fake applications available for download from the Google Play Store that cybercriminals could potentially leverage to steal the banking or account credentials of users.

Shirt off his back

One scam scheme identified in this research saw scammers create a fake merchandise website and place more than 130 advertisements on social media marketplaces in an attempt to drive traffic to the site. 

The website offers consumers branded t-shirts of the national teams participating in Qatar 2022, and users are asked to enter their bank card details or transfer money through payment systems displayed on the fake site in order to purchase a shirt.

In the end, the consumer will never receive their national team t-shirt. Instead, the scammers will either receive the money from the transaction or, in some cases, get the banking credentials of the user, which they can then use to make a host of fraudulent transactions. 

Tickets for the big game

Scammers also targeted those looking to purchase tickets for the games at the FIFA World Cup 2022. Group-IB tracked 5 websites and more than 50 social media accounts registered no earlier than September 2022 containing mentions of "FIFA", "World Cup" and "tickets."

On phishing websites, users who have been tricked into thinking they are purchasing official tickets are asked to enter their bank card details or transfer money through the payment gateway provided on the website. 

Scammers will either receive the funds from the transaction or in some cases, steal the bank card details of the user, who will not receive any tickets.

Scammers also created roughly 40 fake applications in the Google Play Store that are available for download. These applications promise users access to tickets from the games. The applications utilise the FIFA World Cup 2022 brand to confuse users and get them to download fake applications.

In the app, users are prompted to enter their personal information, and when they attempt to purchase what they believe to be tickets for the games, the scammers can either harvest the victims' bank card credentials or, in some cases, the victims are asked to transfer money directly.

Off the bench

Scammers also had those looking to find work at the World Cup in their sights. Group-IB identified 5 scam websites with keywords such as "job" and "Qatar", and then utilised the official tournament logo as a means of building credibility in the eyes of internet users. The threat actors also created more than 30 pages on social networks to promote links to their scam pages.

This scam campaign is a ploy to steal victims' personal data, including their full name, country, phone number, and information about their education. This data may be used in future social engineering attacks to steal money or bank card details from victims.

Group-IB recommended that rights holders whose brands are mimicked by threat actors in phishing and scam campaigns leverage Digital Risk Protection (DRP) solutions that assist in promptly detecting threats to their brand online and send these assets for blocking.