BRANDEFENSE BRANDEFENSE
  • Home
  • Product
    How it works?
    Platform Overview
    Cyber Intelligence
    Brand & Reputation Protection
    Exposure Management
    Solutions
    Threat Intelligence Service
    Brand Protection
    Vulnerability Management
    Attack Surface Management
    Fraud Protection
    VIP Security
    Vulnerability Intelligence
    By Use Case
    Preventing Data Leakage
    Phishing Monitoring
    Account Takeover Detection
    Stolen Credit Cards
    Dark Web Monitoring
    Remediation and Takedown
    brandefense background
    Eliminate risks
    Explore the Brandefense
  • Blog
  • Resources
    Security News
    Threat Intelligence Researches
    Digital Risk Protection – FAQ
    We in the Press
  • Partners
    Channel Partners
    Deal Registration
  • Company
    About Us
    Career
    Privacy Policy
    Terms of Use
    Contact Us
Free Trial

BRANDEFENSE

  • Home
  • Product
    How it works?
    Platform Overview
    Cyber Intelligence
    Brand & Reputation Protection
    Exposure Management
    Solutions
    Threat Intelligence Service
    Brand Protection
    Vulnerability Management
    Attack Surface Management
    Fraud Protection
    VIP Security
    Vulnerability Intelligence
    By Use Case
    Preventing Data Leakage
    Phishing Monitoring
    Account Takeover Detection
    Stolen Credit Cards
    Dark Web Monitoring
    Remediation and Takedown
    brandefense background
    Eliminate risks
    Explore the Brandefense
  • Blog
  • Resources
    Security News
    Threat Intelligence Researches
    Digital Risk Protection – FAQ
    We in the Press
  • Partners
    Channel Partners
    Deal Registration
  • Company
    About Us
    Career
    Privacy Policy
    Terms of Use
    Contact Us
Cyber Threats to the Qatar World Cup 2022 | Brandefense

Cyber Threats to the Qatar World Cup 2022 | Brandefense

BRANDEFENSE
Blog
16/01/2023

Last updated on January 25th, 2023 at 05:40 pm

The FIFA 2022, Qatar World Cup, hosted by Qatar between November 20 and December 18, attracts the attention of cyber threat actors as well as being the center of attention of millions of sports fans. International sports competitions and similar events are indispensable targets for financially motivated threat actors. This article aims to look at the fraudulent activities and cyber threats carried out within the scope of the 2022 FIFA World Cup.

In all significant sports competitions held in recent years, there has been an increase in domain name registrations according to the names of the events and fake ticket sales. Threats targeting the 2022 FIFA World Cup include tournament-related phishing/social engineering attacks, fake malicious mobile apps that appear to be related to the event and aim to capture user data, fake ticket sales in dark web markets, and ransomware threats.

So let’s take a look at the details of the threats mentioned.

Table of Contents

  • Dark Web Analysis of Qatar World Cup
    • Black Market Sales
    • Phishing Domains
    • Fake/Malicious Mobile Apps
    • Fake Social Media Pages
    • Stolen Credentials
    • Malware Activity
  • How To Prevent These Threats with Brandefense?

Dark Web Analysis of Qatar World Cup

As we know, a fanatical fan wants the tickets and merchandise of their favorite teams or the football World Cup. This situation opens a wide door to possible fraudulent activities.

Threat actors on specific Deep Web/Dark Web forums have been found to sell fake tickets for the FIFA World Cup 2022 Qatar. In addition, in the Dark Web analysis, it was observed that the details of the accounts created on the platforms related to the FIFA World Cup 2022 Qatar were put up for sale.

Black Market Sales

In the studies carried out in the Deep Web markets, it has been determined that the accounts of the Hayya platform, which is provided for World Cup participants to enter Qatar and access other services such as tickets and transportation, are put up for sale for a certain fee.

Black markets are the data warehouses of the Dark Web. On these platforms, data such as RDP / SSH access, account login information, IP addresses, cookies, users’ identity information, and stolen credit cards obtained through malicious software infected with victims are offered for sale illegally.

hayya platform, qatar world cup 2022
Figure 1: Account sale for the domain hayya.qatar2022.qa
fifa world cup 2022 qatar ctirix access
Figure 2: Citrix Access Sale of an Organization Serving in Qatar

Phishing Domains

In the section we left behind, we mentioned that the fans are quite inclined to buy tickets and products for their favorite team. In this section, we will focus on phishing pages created to defraud fans with the promise of selling fake tickets and merchandise. These phishing pages imitate platforms associated with the Qatar 2022 World Cup, deceiving targets and fans.

phishing page fifa world cup 2022
Figure 3: Phishing page claiming to sell official FIFA World Cup 2022 merchandise

Fake/Malicious Mobile Apps

Threat actors develop fake mobile apps to install adware, steal PII (Personally Identifiable Information) and financial data, extract cookies and credentials, and download more malware from a remotely controlled domain. More than one fake mobile application developed within the scope of the 2022 FIFA World Cup in Qatar that distributes malware has been detected.

One of the fake/harmful mobile applications examined in the studies distributes AndroidRAT malware, which aims to capture user and system information on Android devices. The threat actors behind this malware have created a Facebook page called Koora 442, where users can visit and download a malicious application from a distribution site. In the posts shared on the page, it is stated that Facebook users can follow the World Cup matches live on the Koora 442 application by simply clicking on the given link. The site to which users are directed when the link is clicked requests installing the kora442.apk file on mobile devices for live tracking of the matches. If users click on the download button, AndroidRAT malware, which is responsible for capturing their data, is downloaded to their devices.

android rat kora 442
kora442 malware
Figure 4: Malware analysis and VirusTotal Output of Kora442.apk file

Fake Social Media Pages

Threat actors acting with financial motivation create fake social media accounts very similar to the real ones to carry out disinformation campaigns, imitate brand VIPs and managers, and carry out social engineering attacks.

Lots of social media pages have been detected impersonating assets belonging to the Qatar World Cup. Most of these pages contain harmless content. However, multiple Facebook and Instagram pages have been observed using the Qatar World Cup branding and logos to engage in fraudulent activities.

qatar 2022 world cup fake instagram page
Figure 5: Fake Instagram Account Selling Illegal Tickets to Qatar 2022 World Cup
2022 qatar world cup facebook
fake facebook account
Figure 6: A Fake Facebook Account Selling Products To Fans

Stolen Credentials

There has been a massive increase in fraudulent sites and similar scam sites claiming to offer free streaming of FIFA 2022 Qatar World Cup matches and asking targets to enter payment card details. Legit platforms such as Xiaomi, Reddit, OpenSea, and LinkedIn have been found to contain fake links that lead to these malicious sites.

2022 fifa world cup linkedin page
fifa world cup qatar 2022 fake website
fifa world cup fake pages
Figure 7: A Phishing Page Aiming To Hijack Targets' Login Information

In addition to phishing pages targeting sensitive information of victims, it has been observed that threat actors create and sell fake cryptocurrency within the scope of the FIFA 2022 World Cup in order to make money directly from the targets.

fake cryptocurrency page
Figure 8: Phishing platform selling fake cryptocurrency tokens
twitter alert about qatar 2022 world cup

Malware Activity

Malware activities targeting the FIFA 2022 Qatar World Cup have been carried out through the distribution of cracked FIFA games or through fake websites claiming to provide free streaming services.

Only one of these malicious activities starts with the threat actors distributing a cracked version of the FIFA 23 game containing malware on the internet when the 2022 FIFA World Cup starts in Qatar. This game distributes the notorious RedLine trojan malware, which captures user and critical system data on the infected system.

This malicious activity was first observed in youtube videos and comments containing cracked game download links. Clicking on the download link opens a website created for downloading the game. When the Free Download button on the site is clicked, a RAR file hosted in Mediafire is downloaded to the system. And the RAR file opened on the target system contains the Redline malware.

redline malware
Figure 9: Youtube Content with Redline Malware Download Link
qakbot, emotet, remcos, formbook, quadagent
Figure 10: Additionally, the distribution of various malware was observed in the campaigns, such as Qakbot, Emotet, Formbook, Remocos, and QuadAgent.

How To Prevent These Threats with Brandefense?

Brandefense is a proactive digital risk protection solution for organizations. Our AI-driven technology constantly scans the online world, including the dark, deep, and surface web, to discover unknown events, automatically prioritize risks and deliver actionable intelligence you can use instantly to improve security.

Our digital brand protection solution helps you quickly detect and respond to digital threats such as botnet activities, data breaches, and fraudulent activities. It allows you to identify and respond to phishing attacks, as observed in the campaigns mentioned above. For this, Brandefense keeps its finger on the pulse of 24/7 social media activities and phishing attempts.

brandefense dashboard

Our digital brand protection solution helps you quickly detect and respond to digital threats such as botnet activities, data breaches, and fraudulent activities. It allows you to identify and respond to phishing attacks, as observed in the campaigns mentioned above. For this, Brandefense keeps its finger on the pulse of 24/7 social media activities and phishing attempts.

Subscribe the Newsletter
Share on Facebook Share on Twitter
Search
Categories
APT GroupsBlogDark WebDRPSFraudRansomwareSector AnalysisSecurity NewsVIP SecurityWe in the PressWeekly Newsletter
Recent Posts
  • Perspective of the Month | APT Groups
    Perspective of the Month | APT Groups
  • BellaCiao: The New Malware From Iran’s Charming Kitten
    BellaCiao: The New Malware From Iran’s Charming Kitten
  • Security News Digest | Security Newsletter | April 27, 2023
    Security News Digest | Security Newsletter | April 27, 2023
  • Cyber Security Trends in 2023: What You Need to Know
    Cyber Security Trends in 2023: What You Need to Know
2023 Ransomware Trends Report
Let’s Dive in Ransomware Attack Trends
Report

Let’s Dive in Ransomware Attack Trends

Download Report
Follow us!

Continue Reading

Previous post

Critical RCE Vulnerability Detected on AMD EPYC and Ryzen Processors

amd epyc ryzen threadirpper
paypal data breach 2023
Next post

PayPal Data Breach That Puts More Than 34,000 User Accounts in Danger

particle element
We know what hackers know about you
Our cyber threat intelligence and security research team is ready to help you.
Request a demo
Free Trial
Contact
Login

Follow us on

brandefense logo brandefense

Brandefense is solving SOC’s complex challenges. We are here to help Brandefense customers to protect their brands and reputations against cyber threats.

United States:

300 Delaware Ave. Ste 210 #328 Wilmington, DE 19801 / USA

Turkey:

Üniversiteler Mahallesi, 1605.Cadde, Kapı No:3/1, No: 204, 06800 Çankaya/Ankara 06800

© 2022 Brandefense. All rights reserved.

Solutions
Threat IntelligenceBrand ProtectionVulnerability ManagementFraud ProtectionVIP SecurityAttack Surface ManagementVulnerability Intelligence
Use Case
Data LeakagePhishing MonitoringAccount Takeover DetectionStolen Credit CardsDark Web MonitoringRemediation / Takedown
Partners
Channel PartnersDeal Registration
Company
AboutCareerPrivacy PolicyTerms Of UseContact
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}
Close
Search

Hit enter to search or ESC to close