Hackers bait victims with World Cup, events


Steer clear of emails and web sites offering great last-minute deals on FIFA World Cup tickets, flights or hotels — phishing scams are in full swing as teams and fans converge on Russia for the tournament.

The first stage kicked off yesterday (June 14) but cybercriminals have been hard at work for weeks, offering fake tickets and building fraudulent web sites designed to gather personal and payment information, as well as usernames and passwords, from unsuspecting soccer enthusiasts.

Kaspersky analysts sounded the alarm: “To make their sites seem credible, cybercriminals register domain names combining the words ‘world,’ ‘worldcup,’ ‘FIFA,’ ‘Russia,’ etc. (for example, worldcup2018, russia2018, fifarussia). Normally, though not always, such domains look unnatural (for instance, fifa.ucozx.site) and have a non-standard domain extension. So in most cases, a close look at the link in the email or the URL after opening the site should be enough to avoid the bait.”

Terry Bradley, chief technology officer at PLEX Solutions in Colorado Springs, said it’s common for hackers to use major events — sports, concerts, stage productions — as a platform for phishing attacks.

“Some of the classic ones that we’ve seen in the past are around tax season, a lot of phishing attacks themed around filing your taxes, or W-2s,” he said. “The holidays are always a big season for phishing where there’ll be these bogus sales or special deals offered through these phishing emails. During humanitarian events like Hurricane Katrina or Hurricane Irma relief, they’ll scam people out of money or out of their credentials — their usernames and passwords — based on people wanting to help out on some big natural disaster.”

Hackers also weaponize “scandals and big political debacles” to snag their victims, Bradley said.

“They might offer exclusive information or evidence of somebody doing wrong or exclusive video that’s been leaked,” he said, “and those are always designed to get people to click [a malicious link] or enter their passwords or financial information.”

For cybercriminals, the key is getting people excited enough to let their guard down.

“It’s always something that people are interested in that they normally wouldn’t be able to obtain,” Bradley said. “Even something like ‘Hamilton’ coming to Denver — everyone wants tickets but you can’t get them — but someone [claims they’ve] got the ‘secret source’ that can get tickets if you just go to this website.”

In terms of phishing activity, the World Cup in Russia is pretty similar to a lot of other major events — but Doug DePeppe says we should expect differences in cybercrime tactics and motivations during the tournament.

DePeppe is co-founder and board president of the Springs-based nonprofit Cyber Resilience Institute. CRI created the cyber workforce program c-Watch, which uses sport to help train cybersecurity experts skilled in information-sharing environments.

International sporting events are highly attractive targets for malicious state actors looking to make a political point — often to undermine the West — but experts don’t expect to see much of that during this World Cup.

“Obviously Russia’s hosting it and they don’t want to be embarrassed,” DePeppe said. “Most pundits believe (and there’s some indication and evidence to it as well) that the black market and the cybercrime factors in Russia have some connection to the government.

“… We don’t think it’s going to be a benign environment, but I think rather than a highly publicized cybercrime effort, what will likely occur will be harvesting of credentials.”

Instead of using cyberattacks to wreak havoc during the World Cup itself, DePeppe said, cybercriminals will target visitors to gather information they can exploit later.

“There’ll be watering holes, there’ll be phishing attacks — it’s all about identifying current and future targets,” DePeppe said. “I don’t think it’ll be just phishing, I think it’ll be multiple attack vectors.”

What are watering holes? DePeppe explained that people visiting Russia for the World Cup represent a captive audience for cybercriminals, because those without mobile data plans will be more willing to log into hotel WiFi, or social media or web sites that purport to be associated with the World Cup.

“The whole idea is to get them to click on it in order to infect their device,” he said. “That’s a watering hole.”

The aim is to “gain a footprint, a bridgehead if you will, through identifying targets, identifying the visitors, finding ways to identify their emails, identify their affiliation with companies and so on,” he said. It’s all information that can be used to launch other cyberattacks.

Attacks on sponsors will also be less likely than usual at this World Cup, DePeppe said.

Any cyberattack that causes embarrassment or undermines sponsors’ investment “is less likely because Russians want to attract investment and they want to project themselves as being good hosts,” he said, “so that kind of attack during the games would undermine Russian state interests. But I think later, once they secure an access point, [monetizing] it through cybercrime is very plausible.”

We shouldn’t expect to see a conflict-free World Cup, though.

“The other area that we agree with other analysts will occur [is a combination of] social media and unfortunately physical security attacks,” DePeppe said. “There’s quite a bit of publicity out there about the [Russian] Ultras — they’re essentially anarchists that are looking to use sport as a vehicle for attacks. And I think some of this will be state supported, because clearly [between] Russia and Britain there’s a lot of tension right now, so there’s already a lot of publicized accounts of [Ultras] planning to conduct physical attacks particularly on U.K. citizens… .

“It’s more propaganda. It will be tying together incidents, fusing physical attacks, cyberattacks and social media to propagate a false narrative. For an example — hypothetical — if Russian Ultras were planning to initiate an attack but there’s an instance of a British citizen fighting back, [they’ll] take that video or image, post it on social media, and make it look like the British are instigating. You know, leverage the history of hooliganism … to turn it against Great Britain — they’re ‘bad guests’ and that kind of stuff.

“It’s multidisciplinary,” he added. “It’s active measures or influence operations — that’s the Russian strategy.”