ThreatLabz notes a spike in fake FIFA World Cup 2022 streaming sites and related scams that lure fans via newly registered domains and fake links to harvest credentials or payment details. The campaign mix includes World Cup ticket and lottery scams, fake cracked games, and malware like SolarMarker and Parrot TDS targeting football fans. #ThreatLabz #SolarMarker #ParrotTDS #FIFAWorldCup #WorldCupStreaming #QatarAirways
Keypoints
- spike in newly registered domains related to the FIFA World Cup as fans flock to event-related content.
- Fake streaming sites often impersonate legitimate portals and post fake streaming links.
- Attackers run multiple related scams around World Cup themes, including tickets, airline tickets, and lotteries.
- Multiple malware campaigns foreground World Cup activity, including SolarMarker and Parrot TDS.
- Campaigns push fake cracked FIFA games and PDFs to deliver malware after user interaction.
- Defense guidance includes caution around new domains, avoiding cracked software, using HTTPS, and enabling 2FA.
MITRE Techniques
- [T1583.001] Domain Registration – Threat actors register new domains related to the FIFA World Cup to host scams and malicious content. “ThreatLabz has observed an increase in newly registered domains related to the FIFA World Cup.”
- [T1566.002] Phishing: Spearphishing Link – Links posted on social/professional sites redirect to malicious pages. “Fake streaming site link posted on a Linkedin profile and the redirected fake site.”
- [T1566.001] Phishing: Spearphishing Attachment – Phishing emails with attachments lure victims to claim fake prizes. “an email with a PDF attachment identifies the target victim as the prize winner of a large lottery drawing.”
- [T1036] Masquerading – Fake links hosted on legitimate sites to redirect users to malicious sites. “legitimate established sites like Xiaomi, Reddit, OpenSea, and LinkedIn host fake links that redirect to the malicious sites.”
- [T1056.003] Input Capture – Forms on scam sites collect emails, passwords, and payment details. “Visitors to many of these fake streaming sites are prompted to provide payment card details within form templates.”
- [T1189] Drive-by Compromise – Compromised sites hosting malicious PDFs deliver payloads. “SolarMarker … hosting the malicious PDF files on compromised WordPress sites … deliver the payload.”
- [T1059.007] Command and Scripting Interpreter: JavaScript – Malicious JavaScript injected into CMS to facilitate the attack. “Parrot TDS … injects malicious JavaScript code into poorly secured content management systems.”
- [T1054] Ingress Tool Transfer / Malicious File Delivery – PDFs and downloads delivering MSI payloads. “the malicious Microsoft’s Windows Installer (MSI) service payload to perform the rest of the attack.”
Indicators of Compromise
- [Fake/ Scam websites] – linkedin[.]com/pulse/official-fifa-world-cup-2022-live-micker-hukkker, fifaworldcupontv[.]blogspot[.]com, opensea[.]io/collection/fifa-world-cup-2022-qatar-vs-ecuador-watch-hd-onli, sportsevents4me[.]store, humourousretort[.]top, i13lc8k[.]cn, bestsports-stream[.]com, gatewaytoworld[.]com, Fifafootball[.]io, Fifa2022worldcup[.]net
- [Malicious samples] – 09FAF066833D24B049DBC3C824AE25E3, 556858D3B8629407A65E2737C1DED5DC, 277760FC389F8F21A50FB04D27519BEF, 8C436293FD1221FAD3E48ECEDAE683A5, 02E7CA1129049755697C8185AC8F98B9, D0DEE3AAC6A71AA9E9E4FC6E411574F0, 3E74F0F073E296460C52EEE06E914B25, 346E4B588F0A6EBE9E0E6B086D23E933, C87B80497B85B22BE53F52E0F2EBDF11, 854D5DFE2D5193AA4150765C123DF8AD
- [Malicious URLs] – eurotranslations[.]ie/wp-content/uploads/formidable/13/panini-world-cup-sticker-spreadsheet.pdf, wartimestac[.]site/Panini-World-Cup-Sticker-Spreadsheet/pdf/sitedomen/, ww16[.]rocklandbase[.]site, rocklandbase[.]site