When it comes to online fraud lures, scammers and spammers gear up to send massive campaigns of malicious email messages to recipients who may or may not open them. To increase their chances, ne’er-do-wells ride the tides of current news and events — and global sporting events are opportunities not to be missed.

Like the Olympic games in 2016, the 2018 World Cup attracts a lot of attention from fans, travelers, vendors and advertisers. This makes it an especially risky time to open unsolicited emails or click suspicious online advertisements.

IBM X-Force research maps spam campaigns and trends that emerge from billions of unsolicited email messages sent worldwide. Trending World Cup buzz did not leave our spam traps empty — and IBM X-Force identified several ongoing spam campaigns tied to the World Cup. Many of these campaigns also used branding from major sponsors to increase the credibility of their fake messages.

Let’s look at are some examples of malicious emails worth a double-delete.

Congratulations, You’ve Been Phished!

A staple of online scams, phishing attacks are part of every fraudster’s arsenal, designed to rob email recipients of their account credentials, payment card data and actual payments.

X-Force is seeing a popular scheme leveraging the World Cup theme that attempts to convince email recipients that they have won a lottery. In one example, our researchers examined a congratulatory message for a fake lottery win that aimed to lure recipients to a phishing page that prompts the victim for his or her financial information to prepay a fee to receive the prize money. The victim will clearly not receive anything, and the fraudsters will simply make off with the money.

To lend credibility to the scam, the email features the logos of a major sponsor, leading potential victims to believe they are the winners of $1 million.

Figure 1: A fake lottery winning notification purporting to come from a known global brand.

This email might look benign in its textual simplicity, but it’s easy to see that the domains, sending IP and email addresses are not from the brand’s official domain. These telltale signs are valid for the phishing page as well, with a domain name that was likely hijacked to host the attack. The same domain used in the email lure, “consultant.com,” was also used in other spam email samples that tempted recipients with fake winnings over $1.8 million.

Figure 2: A fake lottery winning notification leveraging a World Cup theme.

The domain “consultant.com” seems to have been registered in 1997, yet it is not reachable. When users attempt to browse to it, they are rerouted to a different domain. That domain directs them to folders titled “sweep” and “rewards,” suggesting the pages were specifically created to phish users who received the fraudulent emails.

The suspicious domain where web users may land after redirection, “play[.]net-bf10[.]stream,” also automatically collects details about the visitor’s location and IP address — likely to block certain countries from entering the attack and thus minimize exposure and the chances of an early takedown.

Interested in emerging security threats? Read the latest IBM X-Force Research

Spam Campaigns Impersonate World Cup Sponsors

The idea of winning money from a well-known global brand is quite popular in World Cup spam and appeared in several versions our researchers picked out of their spam traps.

Figure 3: A fake lottery winning notification purporting to come from a global brand.

Other spammers attempted to use the same fake winnings idea, but this group endeavored to craft content that appears to come from the FIFA organization itself. To collect the proceeds, the recipient of the lucky email is asked to send personal information and contact details to an email address controlled by the spammers. Those same details are often requested in 419 scams and advance-fee scams, which typically originate in Nigeria and parts of South Africa.

Figure 4: A fake lottery winning notification purporting to come from FIFA.

FIFA-related spam also came in a number of formats from different senders. Without fail, the images in the content are blurry, the text is lengthy — and the senders ask the recipients to keep the matter secret. In each case, the email sender is after the victim’s contact details, which will most likely be used in further social engineering schemes over the phone.

Figure 5: A fake lottery winning notification purporting to come from FIFA.

Spammers purporting to send FIFA email sometimes use the official FIFA domain, “fifa.com,” in the “From” header field of the email, making it seem as though the email is indeed from the international soccer governing body.

Organizations can prevent this by leveraging an email security standard known as Domain Message Authentication Reporting and Conformance (DMARC) to prove email source authenticity. Unfortunately, according to X-Force researchers, FIFA has yet to publish a DMARC record for its website.

However, FIFA did set up a special Sender Policy Framework (SPF) record, which is a building block of DMARC. In the spam campaigns we examined, the SPF check showed that the sender’s IP does not match the IP from which FIFA send its emails, creating a soft fail. Typically, emails that return a soft fail are tagged as potential spam but are still accepted.

Fraudsters Put Their Peddle to the Metal

Another popular type of World Cup-themed spam comes from dubious sellers trying to peddle goods via unsolicited email. In one example, the sender offered up soccer uniform replicas for sale. In another — believe it or not — the seller offered auto parts.

Figure 6: A World Cup-themed unsolicited email peddling soccer uniform replicas.


Figure 7: A World Cup-themed unsolicited email peddling auto parts.

These spam themes are not the only ones making it into people’s inboxes, but they have been particularly popular during this year’s World Cup in Russia.

How Consumers and Businesses Can Protect Themselves

Scammers are extremely active when global events catch people’s attention, and while browsing and email hygiene are always the way to go, these best practices are all the more critical when cybercriminals are out on the prowl.

While cybercrime attempts will undoubtedly continue during the World Cup, the security community, companies and consumers can prepare themselves to identify common tactics and take necessary precautions.

Consumers who are traveling to the World Cup games should take the following precautions:

  • Be thoughtful about where you use a payment card. Try to use cash whenever possible, and use ATMs in areas with better physical security, such as a bank or hotel lobby.
  • Don’t hand out your card to servers who walk away with it. Rather, pay at the register or ask that a handheld terminal be brought to your table.
  • Review credit card statements for anomalous activity, but don’t focus solely on high-priced purchases. Many criminals will attempt a very low-value purchase first to verify the accuracy of the stolen data and that the card is still functional.
  • Only use trusted Wi-Fi connections on your mobile devices and use a virtual private network (VPN) when possible.

Even consumers who aren’t traveling to see live games should be on the lookout for World Cup-related email and mobile scams. The following best practices apply for internet users around the world during the tournament:

  • Don’t click links or open attachments in emails from unknown sources. Cybercriminals leverage this method frequently to phish for financial information or download malware to user devices.
  • Beware of downloading mobile applications from unauthorized sources offering “free” World Cup-related content.

Finally, local and global businesses should be on the lookout for World Cup-themed cyberthreats:

  • Stay up to date on the latest threats and scams as they emerge. Companies should consider joining threat intelligence sharing communities to tap the collective knowledge of the security industry.
  • Retailers and merchants in cities that host World Cup games should implement testing procedures for point-of-sale (PoS) and Wi-Fi environments to identify misconfigurations and other potential problems ahead of time. Consider engaging a penetration testing team to manually test your PoS solution and invest in mobile device management (MDM) software to monitor device security state for mobile payment stations.
  • Malware code is constantly changing, and new variants appear every week. Therefore, companies should use security tools that automatically adapt to protect against new threats as they emerge.

Best Practices

Even consumers who aren’t traveling to see live games should be on the lookout for World Cup-related email and mobile scams. The following best practices apply for internet users around the world during the tournament:

Don’t click links or open attachments in emails from unknown sources. Cybercriminals leverage this method frequently to phish for financial information or download malware to user devices.

Beware of downloading mobile applications from unauthorized sources offering “free” World Cup-related content.

Interested in emerging security threats? Read the latest IBM X-Force Research

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today