CloudSEK’s TRIAD uncovered a multi-tenant FIFA World Cup 2026 ticket fraud operation that uses typosquatted domains, fake checkout pages, and live chat to steal card data and bypass OTP-based authentication. The infrastructure is linked to `tbpay[.]uk`, `ww-fifa[.]com`, `sdf-26fifa[.]top`, and operator activity consistent with China-based threat actors. #FIFA #tbpay #wwfifa #sdf26fifa
Keypoints
- The operation targets prospective FIFA World Cup 2026 ticket buyers with a highly convincing phishing and card-skimming scheme.
- Attackers use typosquatted FIFA-themed domains and cloned webpages that mirror real tournament content to increase trust.
- The backend at `admin-zone[.]tbpay[.]uk` is a multi-tenant fraud platform with at least 15 operator instances and Chinese-language admin panels.
- The kit captures payment card details during checkout and appears capable of intercepting OTPs to bypass SMS-based 2FA in real time.
- Live session tracking, victim journey monitoring, and IP blacklisting suggest a mature fraud-as-a-service operation rather than a simple phishing page.
- Evidence points to operators in China, including repeated logins from `222[.]167[.]244[.]34` and Simplified Chinese UI strings.
- Exposed debug data revealed database and application secrets, including the `fifa_ming` database name and `PHP_APP_DEBUG = 1` left enabled in production.
MITRE Techniques
- [T1566 ] Phishing – The actors lured victims through fake FIFA ticket sites and social media-driven traffic to capture credentials and payment data (‘highly active…ticket fraud operation…deployed a scalable phishing…infrastructure’).
- [T1036 ] Masquerading – The infrastructure impersonated legitimate FIFA and payment services using lookalike domains and cloned branding (‘pixel-perfect clone of the official FIFA website’).
- [T1056.004 ] Input Capture: Credential API / Web Portal Capture – The checkout pages captured cardholder data entered by victims, including PAN, expiry, and CVV (‘captures payment card details (PAN, Expiry, CVV)’).
- [T1110 ] Brute Force – Not mentioned.
- [T1556.004 ] Multi-Factor Authentication Interception – The platform tracked OTP pages and was designed to relay OTP codes in real time to bypass SMS-based 2FA (‘intercept and relay One-Time Passwords (OTPs) to bypass SMS-based 2FA’).
- [T1105 ] Ingress Tool Transfer – Not mentioned.
- [T1071 ] Application Layer Protocol – The operation used web-based infrastructure, live chat, and browser sessions to manage victim interactions (’embedded live chat support (tawk[.]to)’).
- [T1190 ] Exploit Public-Facing Application – The exposed PHP debug page leaked server-side secrets due to production misconfiguration (‘PHP_APP_DEBUG = 1…left in debug mode in production’).
- [T1595 ] Active Scanning – The backend tracked and likely tested live victim sessions and operator verification flows (‘operator testing/verifying the system’).
Indicators of Compromise
- [Domain] fraudulent FIFA ticket and payment infrastructure – `admin-zone[.]tbpay[.]uk`, `ww-fifa[.]com`, and other `www-fifa` lookalikes
- [Domain] typosquatted FIFA ticket sites – `sdf-26fifa[.]top`, `*.sdf-26fifa[.]top`, and `site-fifa[.]site`
- [IP Address] operator/admin access and testing activity – `222[.]167[.]244[.]34`, `27[.]150[.]251[.]195`, and `123[.]100[.]137[.]38`
- [IP Address] additional infrastructure / reseller activity – `38[.]60[.]195[.]137` and `138[.]199[.]60[.]37`
- [Email / Chat Infrastructure] live support and ticketing abuse – `tickets@fifa-rbi605[.]p[.]tawkto[.]email`, `fifa-rbi605[.]p[.]tawkto[.]email`, and Tawk.to Property ID `69b2c0b49dd4d71c370f2cbf`
- [Database / Secret Metadata] exposed backend secrets from debug page – database name `fifa_ming`, table prefix `fa_`, and leaked application key/secret values
- [URL / Path] exposed admin and phishing paths – `hxxps://admin-zone[.]tbpay[.]uk/users/tenant` and `hxxps://sdf-26fifa[.]top/en/tournaments/mens/worldcup/canadamexicousa2026`
- [File / Config Value] leaked debug and environment values – `PHP_APP_DEBUG = 1`, `PHP_DATABASE_HOSTNAME = 127[.]0[.]0[.]1`, and `twk_uuid_69b2c0b49dd4d71c370f2cbf`
Read more: https://www.cloudsek.com/blog/chinese-origin-threat-actors-target-fifa-world-cup-2026