The opening football match of the FIFA World Cup Qatar 2022 is just 10 days away, and while the tournament is surrounded by controversy over the host country’s human rights record, among other things, it will inevitably attract massive attention from all over the world, with a TV audience expected to number well into the billions.
Inevitably, the World Cup is also already starting to attract the attention of cyber criminals and other threat actors, who, as has been seen time and time again, are adept at appropriating significant events and incorporating them into their campaigns.
The Digital Shadows Photon research team have been tracking cyber threats coalescing around the World Cup over the past 90 days using a specially created alert system. They have found that broadly, threats to the event can be arranged into four categories – brand protection, cyber threat, physical protection and data leakages. Of these, most of the observed activity relates to the cyber threat category.
“Scams could present themselves in many forms,” the Photon team wrote in a newly published online advisory. “For instance, financially motivated threat actors often plant in malicious URLs spoofing these events to fraudulent sites, hoping to maximise their chances of scamming naive internet users for a quick, illicit, profit.
“At the same time, hacktivist groups may exploit the public attention given to such events to exponentially increase the reach of their message. State-sponsored advanced persistent threat (APT) groups may also decide to target global sporting events to achieve state goals to the hosting country or the broader event community.”
In the course of their research, the Photon team encountered hundreds of online threats, many of which are clearly set up to target the general public, exploiting both their anticipation and excitement, and their desire for more information about the World Cup, to lure them in.
Among the team’s discoveries were: over 170 domains impersonating official World Cup online properties, many of them phishing websites intended to steal their victims’ data; 53 malicious mobile apps, used to install adware, steal data and credentials, and download additional malware payloads; and dozens of fraudulent social media pages, some of them being used to spread dubious affiliate marketing or pyramid scams.
Countering such threats is, in general, a matter of remaining vigilant to the signs of a scam, not clicking on links in unsolicited emails, downloading apps from the App Store or Google Play, and seeking news and information from known, trusted media, such as the BBC or Sky.
It is always also worth bearing in mind the old adage that if an offer seems too good to be true, it probably is. Further guidance for consumers is available from the National Cyber Security Centre.
The Photon team also pointed to the possibility of more sophisticated cyber activity around the World Cup. For example, during their research, the team found multiple advertisements for raw data logs that had been stolen using the Redline malware. Redline is an infostealer used to gather credential pairs, autocomplete data and credit card information from its victims’ web browsers. It can also harvest other technical data about the compromised system.
Some of these data logs appear to relate to World Cup assets. Such information could be used to take over victim accounts and conduct further malicious activity.
The team also turned up some evidence that suggests more high-level, targeted activity may hit organisations involved in the tournament, such as sponsors, national teams, or organising bodies in Qatar, which may be targeted for disruptive, human-operated ransomware attacks. Lockbit – probably the most active ransomware cartel at the time of writing – is known to have attacked organisations located in Qatar.
No less impactful, and perhaps more so given their frequent courting of global media, is the possibility of hacktivist activity, which has been on the up and up during 2022, with groups such as Ukraine’s IT Army facing off against the likes of the pro-Moscow KillNet collective.
Groups such as Anonymous, already globally renowned for its hacktivist campaigns, appears to have the World Cup in its sights. On 25 October, a group representative called on FIFA to ban the Iranian national squad in the light of Tehran’s brutal crackdown on anti-regime protests, signing off with Anonymous’s now traditional salutation, “Expect us.”
The Photon team added: “Given the high level of activity carried out by hacktivist groups in 2022, it is realistically possible that said groups will target the 2022 Qatar World Cup to some extent. Hacktivist groups could target the organisers or the sponsors of the tournament, and may do so using DDoS [distributed denial of service], defacement or data destruction attacks.”