Watch Out For These 15 FIFA World Cup Phishing Attacks

FIFA 2010 World Cup

This is the moment the world has been waiting for. In this year's 19th FIFA World Cup, 736 players representing 32 teams from around the world are competing to take home the trophy for the World Cup at Soccer City in Johannesburg, South Africa. This event equals the Olympics as the sporting event with the most competing nations. Subsequently, for one month starting from June 11 to July 11, the World Cup will dominate the airwaves and the Internet as one the most internationally watched events since the 2008 Summer Olympic Games.

Not surprisingly, that fact is not lost on the spammers and malware authors, who never fail to capitalize on world events. True to form, they have bombarded Web traffic with a barrage of spam, phishing scams, and malware downloads, exploiting overwhelming worldwide interest that leads to high volumes of traffic.

Here are a few examples of what to watch for when perusing game scores or watching the latest World Cup play.

On Top Of Their Game

Everyone wants to find out the latest game scores for their country. And many users will enter a simple search like this one. But not all World Cup sites, such as this one provided by Fortinet, are legitimate or safe, despite their high ranking on Google's search pages. Meanwhile, spammers have employed search engine optimization techniques to move malicious sites to the top of the page rankings, banking on high volumes of traffic that will inevitably be first drawn to the links closest to the top. Meanwhile, Google's algorithms can't detect whether a site is safe or not.

To protect yourself from unknowingly clicking on a malware or spam site, pay close attention to the URLs when entering search terms related to World Cup. Go with familiar and trusted sites and steer clear of unfamiliar pages with unrelated terms. Or better yet, go directly to a site itself.

Personal Touch

The World Cup tournament is an international event, which makes it all the better for spammers. Clearly, attackers take advantage of the fact that they can target users from all over the world, like in this example, provided by Red Condor. Savvy spammers are creating phishing attacks and spam aimed local users in an array of international languages -- not just grammatically incorrect English, which allows them to specifically target individuals and local groups, as in this example.

In this particular image, the message entices Brazilian users with the message, "Watch the World Cup games at Aprobatum (a school in Brazil) Free admission."

The scheme obviously has a limited audience, lending it credibility. It also attempts to reel in victims with enticingly cute cartoon characters. However, they won't seem so cute and endearing to users when they click on the ad and download information-stealing malware onto their systems.

Winning Ticket

Everybody loves to be a winner. And even the grammatical errors and rambling, unintelligible phrases won't deter users from believing that they have won almost $2 million dollars from a weekly World Cup lottery if they want it enough.

In this spam image, provided by Fortinet, the attackers tell the victims that they are the recipients of a World Cup lottery prize of almost $2 million, which they claim was drawn at random. All that the "lucky winner" has to do is provide copious personal information that is likely be used for identity theft purposes, after downloading an attachment which could very well contain malware.

The spam message embodies a classic example of how scammers use both a high-profile world event and the promise of financial prizes to entice users to submit sensitive personal information.

Luckily, this scam is fraught with giveaway grammatical errors and misspelled words. But the old adage still applies -- if it seems too good to be true, it probably is.

Have Some Spam With Your World Cup Schedule

No doubt, during World Cup, EVERYONE is going to be looking for the latest game schedule. And attackers know this -- which is why it’s a pretty safe bet if they include the term "World Cup Schedule" or some derivative into a search phrase. Attackers are also deploying search engine optimization to shoot malicious and fraudulent pages up to the top of the Google's rankings. However, other than the subject lines, the spam sites often contain content completely unrelated to World Cup.

In this example, provided by Fortinet, there are a few dead giveaways that this is a spam site. For one, the site's domain is from Canada, rather than a .com or .net. Meanwhile, while the site contains "World Cup Schedules" in its search term, the URL OptimalFitness.ca, doesn't immediately appear to be related to game schedules. (Instead, it's more likely to be a quick lure to a Canadian pharmaceutical site.) Users who click on the link will likely be treated to unwanted spam or inadvertently download malware onto their computers.

When in doubt, trust your instincts and avoid visiting questionable sites. Instead, look for trusted and known sites for game schedules and other sought after World Cup information.

Damage Already Done

If victims receive this pop-up Web page, chances are they're already infected with malware. This image, provided by Symantec Hosted Services, served as a distraction for victims who have opened a malicious executable file, likely designed to steal data and link their computers to a global botnet. It's sole intention was to distract the victim with an interesting image that loosely pertained to the e-mail. This Web page pops up as a distraction once the victim downloads the executable and the malware alerts the command and control center that they have untold access to the victim's computer.

Double Whammy

Recipients of this attack, submitted by MessageLabs Intelligence, fell prey to a two-pronged approach when malware authors employed both an infected PDF attachment as well as a malicious link to distribute malware. The attackers lured in victims by spoofing a popular sportswear manufacturer sponsoring the FIFA World Cup. The message targets Brazilian firms with the subject line, "If Brazil wins, You also gain!" in Portuguese. Very little text in the body of the e-mail further entices users to click the link or open the attached file.

But do so at your own risk. The only thing that users will "gain" from opening the link or attachment is a big dose of malware on their computers. That's what we call a lose-lose.

Too Good To Turn Down

This is an offer that the attackers were hoping users couldn't refuse. In addition to a $500K prize, the lucky winners purportedly get to watch the World Cup games live.

Naturally, the attackers request personally identifying information, such as name and address, while sending victims along to a "claims agent" who will likely also request some kind of processing fee. Don't be fooled by the two-for-one offer. Chances are that sending any kind of personal information online in response to an unsolicited e-mail will only result in identity theft. Oh, and then once users pay the processing fee, attackers will have easy access to their credit card or bank account. So much for the "two-for-one."

But there are some giveaways. The message is chock full of grammatical errors and inappropriate caps, which will be enough for most users to know that this spam is obviously a hoax.

Gift Cards And Games

Second to the classic lottery scam is the classic credit card or gift card scam. In this attack, provided by Sophos, spammers use the glamour of the World Cup games as a hook to bait users into clicking on the advertisement. Who doesn't want a free $250 gift card? For that matter, who doesn't want to weigh in on the U.S. team's chances of success in an international sport? Meanwhile, that big yellow button looks awfully tempting, doesn't it?

But chances are, the only thing that users will receive by clicking on the button will be malware. Scammers and phishers will pretty much try any tactic to compel overzealous soccer fans into clicking malicious links and downloading malicious code, and a "survey" is as just a good an incentive as any. But it's best to play it safe and avoid clicking on unfamiliar or unsolicited links--no matter how tempting the big yellow button.

Tried And True

As during rest of the year, one of the most common World Cup scams is the classic lottery scam. A victim receives an e-mail informing them that they have won a monetary prize in some kind of lottery or contest. The attacker only asks that the recipient submit personally identifying information such as home address, e-mail and mobile number, as well as a "release fee" in order to transfer the winnings. This particular example, provided by McAfee, uses a popular World Cup image of Nelson Mandela holding the World Cup to further legitimize the ploy and pique users' curiosity of the popular worldwide sporting event.

Canadian Pharmacy -- It's Everywhere

Like certain credit cards, Canadian pharmacy spammers seem to be everywhere users want to be, including South Africa. Of course, there's no connection between the FIFA 2010 World Cup and a Canadian pharmacy spam campaign, but hey, it's worth a shot, right?

Researchers at MessageLabs Intelligence intercepted a spam for a pharmaceutical site using World Cup in the subject line to entice users into opening the e-mail. But this is way more than just a plea from spammers to buy cheap generic drugs. Attackers obfuscated the javascript in the attachment, which redirected the victim's browser to a different site associated with malware.

Again, not sure what Canadian pharmaceuticals have to do with the World Cup, but once the victim is at the site, it probably doesn’t matter.

Match Point

Malware authors like to play it safe, and distributing a free, but malicious, World Cup game schedule to soccer fans is a sure way to meet malware distribution quotas.

In this example, provided by MessageLabs Intelligence, malware authors launched a targeted attack encouraging recipients to open an Excel spreadsheet attachment that contained a malicious World Cup match schedule. In the body of the text, the attackers mentioned the Excel file several times and touted that the document "automatically calculates the position of each football team according to game scores and FIFA rules" and generates the schedule.

Ooh. Compelling. In reality, the file created a backdoor to users' computers, which enabled the attackers to stealthily access to sensitive personal and financial data stored on their PCs.

Remember, few things in life are free. But the good news for users is that World Cup game schedules are on that list---you just have to go to a reliable and trusted source.

Bogus Lotto

Yet another lottery scam. Although this one is so completely preposterous, it is barely worth mentioning. This time, the attackers are promising a $2 million cash prize to be shared between 15 lucky winners out of a total of $30 million. Well, at least the attackers can do elementary math, even if they can't write an English sentence.

As expected, the attackers request all the usual information; name, mobile number, address, etc. … and defer the "winner" to a "claims agent." The spammers create a sense of urgency by to by telling them to immediately email this "agent," or else risk losing their lottery winnings.

The egregious grammatical and typographical errors as well as the halting English should be a dead giveaway that this offer is completely bogus.

Short And Sweet

Simple yet effective. This spam message, provided by Symantec Hosted Services, is another lottery scam but doesn't waste words, unlike other identity theft schemes that dedicate paragraphs of explanations about a bogus contest or lottery. Besides, all the spammers really want is for the victims to download the attachment, which almost certainly contains malware. Why waste precious time and energy creating pages of text?

As always, avoid downloading attachments from unfamiliar sources.

Wishful Thinking: Vuvuzela Banned

What? The most annoying noisemaker in existence is banned from the World Cup? This particular spam message would entice just about anyone to open it. Of course the malware authors know this as well. This particular phishing attack, provided by Webroot, was delivered via Twitter, as malware authors capitalized on the long-maligned South African Vuvuzela to distribute malicious code. Their tricks apparently worked, driving people to click on infected links that downloaded malicious code onto their systems. In this attack, users retweeted the message that reads "OMG! Vuvuzela banned!" along with the hashtags of #worldcup and #vuzelabanned. Thus far, references to the malicious links number over 16,000, according to a Webroot blog.

The tweets use numerous link shortening services to disguise the fact that they lead to a fake image hosting Website -- ostensibly sourced in India with the .in domain. The Website eventually takes users to a page called Image Sheep, which silently incorporates their PCs into a global botnet.

Once again, the attackers exploited wishful thinking and deepest desires. In reality, the forsaken Vuvuzela isn't about to go away any time soon.

More Wishful Thinking: Anti-Vuvuzela Filter

Got to give the phishers some kind of credit for knowing how capitalize on human desires. (Then again, they are con artists after all.) This particular scam, provided by Webroot, the phishers are charging, that's right, charging, for an online anti-Vuvuzeal filter, which claims to eliminate the annoying Vuvuzela noise. Suckers who fall for the scam are gypped of almost 3 Euros for a download that is a complete fraud.

The South African horn known as the Vuvuzela makes that obnoxious buzzing noise during the World Cup matches but has been the subject of criticism from attendees and World Cup viewers who say that the horn is annoying and intrusive at best, or leading to hearing loss at worst.

The phishing site claims to "get rid of the Vuvuzela noise through active noise cancellation." However, all users get in exchange for their 2.95 Euros is a 45-minute long mp3 file that does, yep you guessed it, absolutely nothing.

The good news is that there are legitimate active noise cancellation solutions out there that use equalizers and bandpass audio filters. However, if in doubt, just do what your pioneer ancestors did and turn down the audio on your TV or computer.