The World Cup is the most popular sporting event on the planet, and not just among sports fans; attackers and scammers of all stripes love it as well, as it presents a unique opportunity to separate victims from their money. Phishing and malware scams tied to the World Cup in Brazil have been running rampant for months, and researchers have identified a new scheme that plays off the suspension of famed Uruguayan attacker Luis Suarez.
Suarez, one of the more talented and famous goal-scorers in the world, was suspended by FIFA, the world governing body for soccer, at the end of the group stage of the World Cup after he bit an Italian defender on the shoulder. Suarez wasn’t allowed to play in his country’s knockout stage game against Colombia and he’s banned for a total of nine games. The discipline caused an uproar among soccer fans, especially Uruguayans who saw their national team fall to Colombia while Suarez was already at home, watching on TV.
Not surprisingly, scammers saw this as a prime opportunity to prey on some fans’ sympathy for Suarez. Researchers at Kaspersky Lab have identified a new phishing campaign that centers on a fake petition on Suarez’s behalf, which sits on a site that is a very close replica of the official FIFA site. Visitors are asked to sign the petition and fill in their names, countries of residence, email addresses and mobile numbers, a dream menu of information for an attacker.
“The phishing page matches the design of the official website and all links on it redirect users to FIFA’s official site, fifa.com. The phishing domain was created on June 27, 2014. According to the whois database, it was registered in the name of a person residing in London. The data collection form was developed by the phishers using Google.Docs. Personal data obtained from the form can be used to send spam, phishing and SMS messages, as well as malicious apps,” an analysis by Nadezhda Demidova of Kaspersky says.
“In addition, armed with users’ email addresses and telephone numbers the cybercriminals can conduct targeted attacks involving banking Trojans for computers and mobile devices. This technique is used to get round two-factor authentication in online banking systems in cases when a one-time password is sent via SMS.”
Once a victim fills out the petition, he then is encouraged to share the link to it on his Facebook page, helping to spread the scam even further. Phishing once was almost purely an email phenomenon, but now that social networks have completely overshadowed email as the main methods of communication among friends and acquaintances, scammers have simply adapted their tactics to those new platforms. Demidova said that links pushing users to the petition have been seen in other places, as well.
“Messages with links to the phishing page were also seen on dedicated forums, from which users probably reached the phishing page originally,” Demidova said.