ESET alerts about World Cup scams

Security writer at ESET, Tomas Foltyn, discusses the dangers posed by various scammers and cyber criminals during the forthcoming football World Cup in Russia.

Have you been looking forward to the 2018 FIFA World Cup? So have scammers, kicking it up a notch and looking to cash in on the hype surrounding the quadrennial soccer extravaganza. The fraudsters will attempt to gain access to your personal data, typically credit card details or login credentials, using various methods. What are some of the scams that you may encounter?

Sting in the tail
One common method is to tout a variety of “wares” in large-scale campaigns: cheap match tickets, ticket-inclusive hospitality packages, accommodation-booking services, flights to match-hosting cities, to name just a few. These “bargains” are typically hawked via fraudulent emails or social media posts and messages that, as is their wont, play on people’s emotions. Who doesn’t like a good deal, after all?

Naturally, there’s a kicker. Once the targets are bamboozled into believing that the spam offers something they want or need and click on the provided link, they end up on a phishing website that can convincingly imitate World Cup branding or might even be an outright duplicate of the genuine site. Having been requested to do so, the recipients dutifully input their personal information so they can pay for and receive their “tickets”. Armed with credit card details thus provided, the attackers will raid the victims’ bank accounts.

Fraudsters also impersonate FIFA, its sponsors, or event sponsors and partners such as Visa, Adidas or Coca-Cola, to send missives to congratulate you on your “win” in a lottery. In order for your “prize” to be released, they will ask for your personal details and/or request a payment upfront in a kind of “advance-fee scam”.

Other scams may focus on travel visas or the Fan ID, the latter being an identification document required by Russian authorities to gain admittance to a match along with a valid ticket. Furthermore, using fake offers or counterfeit websites, fraudsters may attempt to sell you bogus World Cup merchandise or dupe you into joining in fake giveaways.

Even if you have no intention of visiting a World Cup venue, you may receive an email or social media message that contains a malicious attachment or link, supposedly to games, apps, footage of highlights, videos with hot news about players, or other tempting content. With the “help” of malware such as a banking Trojan implanted on your machine after you open the attachment or click the link, the attackers may extract your financial information.

In another common scenario, you may be offered to watch games for free on a malicious – or legitimate, but compromised – live-streaming website. All that you’re then asked to do is download additional software or update an existing program (such as Flash Player), but you inadvertently end up compromising your computer with malware or unwanted software such as adware or a browser hijacker.

Attackers may also gain access to your personal data when you connect to a public Wi-Fi hotspot. They can set up a rogue hotspot that can sport a generic name like “Free Wi-Fi” and act like a decoy. Even the use of a legitimate public Wi-Fi network isn’t safe unless the connection is secured. Attacks at insecure hotspots are typically “man-in-the-middle” attacks, where an attacker is able to intercept your data on its travels.

Another threat looming large over tourists is ATM scams. Russian law enforcement officials recently issued a warning about fraudsters buying retired cash machines with the aim of refitting them so as to target tourists. There is also good ol’ ATM skimming that secretly swipes your payment card information in a practice sometimes aided and abetted by other tools, such as fake keypads or hidden cameras.

Showing the red card to scammers
FIFA has warned that match tickets are only available on its site, while official ticket-inclusive hospitality packages are only available through an appointed company and its sales agents. A number of ticket listings and sites claiming to sell tickets have been removed, but we’re unlikely to have seen the last of them. The same goes for fake offers on legitimate (e.g. auction or social media) sites. By purchasing tickets from anywhere other than the official source, you’re very unlikely to gain admission to the stadium.

Basic online defenses apply here, too. This includes being astute in recognizing phishing messages, which rely on techniques that have been around for several decades and yet remain some of the most effective methods for fraud used by cybercriminals. Be wary of too-good-to-be-true and out-of-the-blue offerings and communications that ask for your sensitive information – a request at the heart of any phishing attempt. Legitimate organizations such as banks should never ask for your details by email. Similarly straightforward guidance extends to lottery scams: lottery companies do not ask for payments upfront in order for you to collect a prize.

Don’t assume that a website is legit, just because it has that comforting green padlock (i.e. HTTP Secure/HTTPS sign) to the left of the URL. A secure connection and a secure site are two different things. Scammers, too, are increasingly embracing HTTPS. Similarly, the mere fact that a site appears in a Google search doesn’t mean that the site is genuine. Malefactors can boost their sites’ search rankings via search engine optimization (SEO) strategies or paid ads. Use only tried-and-true channels to receive the latest updates on your favorite teams and players.

Likewise, don’t assume that a public Wi-Fi network is legit. Even if they’re not set up by cybercriminals, many public wireless access points (WAPs) can leave you vulnerable to dangers simply because they’re unsecured. Attackers can easily use an unencrypted Wi-Fi connection to eavesdrop on the traffic and pick up sensitive information that you type, as well as inject malware into the traffic. Avoid using online banking or personal shopping on insecure connections and/or use a reputable virtual private network (VPN) to encrypt traffic between your device and the internet.

As for not falling victim to ATM skimming, the simplest precaution is to use cash machines in high-traffic areas, together with keeping a keen eye for anything that looks out of the ordinary or that shows that the machine may have been tampered with.

Fever pitch
As we inch closer to the World Cup, the attackers will seek to exploit the fever that will increasingly grip footie fans. Anything related to the tournament and players will be hot news, which ultimately increases the likelihood that a victim will click a malicious link or open a malicious attachment. At the risk of repeating ourselves, the bottom line is never to succumb to the temptation if the message comes from an unknown sender, or if it is an unsolicited message from a known sender, since it’s easy to spoof email addresses. And, as the old soccer adage says, when in doubt, kick it out!