Cybercriminals are using the Fifa World Cup to launch scams and steal credentials, warns FortiGuard Labs, the research arm of cybersecurity firm Fortinet.
New research from FortiGuard Labs reveals cybercriminal infrastructure linked to this year's World Cup is already operational. The tournament runs from Thursday to July 19.
From January to May, more than 13,000 new World Cup-themed domains were registered.
Roughly 8.8% of these domains were identified as malicious or suspicious through pattern analysis and scam activity, noted the research, misusing Fifa branding and including terms related to ticketing, streaming services, betting platforms and hospitality.
Threat actors have created hundreds of fake websites that appear legitimate enough to earn fans' trust for a few critical seconds while they search for tickets, resale options, match streams, travel packages and official merchandise.
Among the threats are phishing and fake ticketing sites, resale scams, counterfeit merchandise stores, malicious betting and streaming apps, impersonation accounts, fake job offers, cryptocurrency scams and exposed credentials linked to malware or past breaches.
Fake Ticketing
Ticketing scams are among the most visible threats because they exploit scarcity. Fans unable to secure tickets through official channels often turn to resale websites, social media groups, Telegram channels, search ads or peer-to-peer marketplaces.
Attackers capitalise on this urgency by promoting bogus limited-time discounts to pressure victims into making quick decisions.
The report also documents ticket scams advertised on underground forums and Telegram channels. Some campaigns bundled fraudulent match tickets with counterfeit flight and hotel packages to make the offers appear more complete and credible.
FortiGuard Labs also identified more than 1,700 suspected Fifa-related impersonation accounts and channels across social media and messaging platforms. Nearly 90% of these cases were on Facebook and Instagram.
Fake Job Postings
The World Cup also generates demand for temporary workers, contractors, hospitality staff, logistics personnel, media support and event-specific roles. This demand provides attackers with another attractive target.
For example, a credential-stealing scheme used fake Fifa-related job ads and sponsor recruitment posts.
The attackers sent calendar invites and directed victims to phishing websites with a counterfeit Google login page. When victims entered their credentials, they received a generic error message, enabling the attackers to capture their information.
The report also found evidence of Fifa-related activity within stealer log telemetry.
FortiGuard Labs detected more than 4,600 URLs associated with Fifa in stealer logs. In addition, the research uncovered more than 260 Fifa employee credentials and over 270,000 credentials from users and fans visiting Fifa-related websites in delimiter-based stealer log data.
The company also found more than 1,500 records of Fifa-related employee and organisational accounts in past breach datasets.
This does not imply that all exposed accounts are currently active or being exploited. However, threat actors now have access to data that could facilitate credential stuffing, account takeover, targeted phishing, impersonation and fraud, according to the research.
The report advised organisations in sports, travel, hospitality, media, retail, finance, government, transport and critical infrastructure to start their defensive preparations early during high-profile global events.
Security teams need to monitor for lookalike domains, brand impersonation, malicious advertisements, fake social media profiles and credential leaks involving employees, partners and customers.
They should also assess protections against phishing, malware, credential theft and account takeovers.
