Trend Micro collaborated with INTERPOL to monitor and report FIFA World Cup 2022 cyber threats, helping to block attacks and mitigate risks around the event. The findings highlight fake ticketing sites, fake live streaming, survey scams, and crypto-related malware like Kora442 targeting fans during the World Cup. #Kora442 #INTERPOL #FIFAWorldCup
Keypoints
- Trend Micro partnered with INTERPOL to monitor threats and share intelligence to protect FIFA World Cup 2022.
- Malicious websites impersonating FIFA World Cup ticketing systems were found (e.g., fifa-ticketssales[.]com and prime-ticketssales[.]com).
- Fake live streaming sites (around 40 unique domains) lured users to subscribe or pay, with Brazil, Philippines, and Malaysia as top targets.
- Survey scams offered free mobile data, hosted on numerous IPs/servers, and harvested phone numbers and emails.
- Crypto scam sites and a malicious Android app (Kora 442) lured users to download kora442.apk and stole device data to a C2 server; hashes and package name are provided.
- Trend Micro emphasizes ongoing collaboration with INTERPOL to investigate cybercriminals during major events.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link β The attackers created fake ticketing sites to collect personal information and credit card details. β[dubious sites for selling tickets to the 2022 FIFA World Cup and trick users into inputting their personal information and credit card details in phishing attempts.β]
- [T1036] Masquerading β The attackers used websites imitating the FIFA World Cup ticketing page. β[websites imitating the FIFA World Cup ticketing page and one showing an unbelievable number of sold tickets.]β
- [T1189] Drive-by Compromise β Users were redirected to websites with subscription forms or premium access requests, then urged to subscribe and pay. β[redirected to websites with subscription forms or premium access requests and lure these users to subscribe and pay.]β
- [T1041] Exfiltration Over C2 Channel β The Android malware exfiltrates data by sending it to the C&C server. β[It steals information from the infected device and sends it to the Command & Control (C&C) server.]β
- [T1005] Data from Local System β The Android app steals information from the infected device. β[It steals information from the infected deviceβ¦]β
Indicators of Compromise
- [Domain] Fake FIFA World Cup ticketing sites β fifa-ticketssales[.]com, prime-ticketssales[.]com, watchvsportstv[.]com, istream2watch[.]stream (and 2 more domains) β used to harvest personal data.
- [URL] Fake streaming and scam pages β watchvsportstv[.]com/2022-FIFA-WORLD-CUP-FINAL, istream2watch[.]stream/video/fifa-world-cup (and 2 more URLs) β redirect to subscription/purchase flows.
- [Hash] Android malware hashes β 2299d4e4ba3e9c2643ee876bb45d6a976362ce3c, c66564b7f66f22ac9dd2e7a874c6874a5bb43a26, and 2 more hashes β associated with Kora 442 APK.