Sporting events, like the upcoming FIFA World Cup Qatar 2022 (Qatar 2022 World Cup), attract massive attention from every corner of the world. Just think, the last edition of the tournament in Russia was watched by a combined 3.57 billion viewers, equating to more than half of the global population aged four and over. 

Unfortunately, football fans aren’t the only ones tuning in to watch some of the best players in the world defending their national colors. Cyber threat actors, with varying resources and motivations, are highly interested in these eye-catching events too.

Scams could present themselves in many forms. For instance, financially-motivated threat actors often plant in malicious URLs spoofing these events to fraudulent sites, hoping to maximize their chances of scamming naive internet users for a quick (illicit) profit. At the same time, hacktivist groups may exploit the public attention given to such events to exponentially increase the reach of their message. State-sponsored advanced persistent threat (APT) groups may also decide to target global sporting events like the Qatar 2022 World Cup to achieve state goals to the hosting country or the broader event community. 

In short, plenty of threat actors are interested in this sort of event. So, it is extremely important to shine a light on some of the most pressing cyber threats to prevent and mitigate them ahead of time. That’s why we’ve decided to start our research well ahead of time and use all our resources to showcase some interesting examples of how threat actors could exploit the Qatar 2022 World Cup to conduct malicious activity.

Research methodology

For the purpose of this research, the Photon Intelligence Team set up a detailed alert system to collect examples of cyber threats to the Qatar 2022 World Cup over the course of ninety days. These potential incidents fall under four categories, brand protection, cyber threat, physical protection, and data leakage. Most incidents pertained to the cyber threat category, and included malicious webpages, marketplace listings, and exposed files. 

After triaging said incidents to remove false positives, we collected the true positive incidents to analyze them and better comprehend how attackers were targeting the Qatar 2022 World Cup. Check the following paragraphs for some valuable insights into their tactics, techniques, and procedures (TTPs). 

Impersonating domains

Impersonating domains are a popular choice among threat actors who often use them in the early stages of their malicious operations. Threat actors typically set up impersonating webpages to mimic legitimate, trusted organizations and conduct hostile activity. This could include stealing personally identifiable information (PII), login credentials, financial data, as well as dropping malicious payloads on victim’s machines. Impersonating domains are a thorny problem for most brands, as our 2021 research proved, when we detected an average of 1,100 impersonating domains and subdomains per year per Digital Shadows (now ReliaQuest) client.

To set up these malicious webpages, threat actors usually choose domain names similar to a legitimate website to trick users into clicking on them. To tweak the original domain, the attackers may substitute alphanumeric characters (goggle[.]com instead of google[.]com), misuse a top-level domain (TLD) (google[.]info instead of google[.]com), or include a related word (google-info[.]com, for example). Once a domain is registered, to avoid detection and takedowns, threat actors will also often register with a known bulletproof hosting provider, which typically protects them against law enforcement activity too.

As part of our research, we’ve identified 174 malicious domains impersonating official webpages belonging to the Qatar 2022 World Cup. The level of sophistication used by attackers to mimic the original domains varied greatly, ranging from low quality, obvious phishing pages to more refined efforts mimicking animations and logos. Among these pages, a notable example was the qatar2022[.]pro impersonating domain. As you can see below, the attackers here merely changed the TLD to deceive users into trusting this webpage.

High quality Qatar 2022 impersonating domain

The qatar2022[.]pro is flagged as a phishing domain by multiple security providers. Still, it is a high quality impersonating page, with many details closely resembling the original page. Upon further inspection, we noticed that most links within the page redirected to official Qatar 2022 World Cup pages. However, clicking in the chat box (visible at the bottom right of the above screenshot) redirects to a malicious URL likely controlled by the attackers for further malicious activity. Although we can’t be sure about the attackers’ motivations driving the creation of this fraudulent webpage, it is likely that they’re aiming to target fans and ticket buyers with the purpose of stealing financial data and sensitive private information.

The malicious web page where we landed after clicking on the chat box

Fake mobile apps

Along with a reputable domain name, most organizations have now developed their own mobile app, used to communicate with customers, create engagement, and foster brand loyalty. The Qatar 2022 World Cup is no exception, with FIFA currently maintaining multiple official apps across legitimate app stores. In fact, along with domains, mobile apps pertain to that category of highly valuable intangible assets maintained by every organization with an online presence. 

At the same time, mobile apps constitute an expansion of the attack surface for every organization. For every legitimate app developed by the World Cup organizers, there are dozens of fraudulent apps that are distributed via unofficial app stores. These malicious apps constitute a risk for customers and developers alike—and they can be easily found online using the most common search engines.

Beware of mobile apps downloaded from sketchy, unofficial websites

For the purpose of this research, we identified 53 impersonating mobile apps from fraudulent stores over the past 30 days – with some even available on legitimate sites like the Google Play store. Once again, the sophistication of the apps varied greatly; however, they largely shared one purpose: deceive users into downloading them.

Threat actors can develop fake mobile apps to install adware, steal PII and financial data, extract cookies and credentials, and download further payloads (such as spyware) from a remote-controlled domain. As with impersonating domains, fraudulent apps can constitute a considerable initial access point for attackers who can then pivot from the targeted environment to carry out other attacks. 

Fraudulent social media pages

Talking about intangible assets, social media pages have become a central pillar for every organization’s communication strategy in the past ten years. Nowadays, such pages are necessary to build a brand, generate new business, and resolve customer issues. 

Every day, millions of internet users visit their favorite social media pages to stay abreast of new releases, offers, and timely information. The same thing obviously happens with global events such as the Qatar 2022 World Cup, with fans flooding the official pages to learn everything about what will happen over the course of the tournament.

It should come as no surprise that threat actors attempt to exploit this commodity as well. Based on our experience, the majority of fraudulent social media pages are created by financially-motivated cybercriminals on the lower end of the sophistication spectrum. However, in the past, security researchers also observed APT groups using social media pages to spread disinformation and to gather sensitive information about targeted individuals. Additionally, the North Korean-sponsored APT Lazarus has repeatedly been caught targeting job seekers on LinkedIn with fraudulent job ads to trick them into clicking on malicious links

During our research we collected dozens of social media pages impersonating assets belonging to the Qatar 2022 World Cup. The majority of these pages host harmless content; however, we also identified multiple Facebook pages exploiting the Qatar 2022 World Cup brand and logos to spread scams such as pyramid schemes, as you can see in the example below.

100% NOT a pyramid scheme

Social media pages are not the only concern when it comes to brand and logo theft. VIPs and executives can also be impersonated to conduct social engineering attacks. One of the most common tactics used by threat actors when impersonating executives is business email compromise (BEC), a method where an email or social media message coming from a fake VIP profile deceives employees to commit a certain action (usually transferring money to an attacker-controlled bank account). In 2019, the FBI dubbed this tactic as the “$26 Billion scam”, given the high losses associated with this social engineering method. 

Facebook pages impersonating current FIFA president Gianni Infantino

Stolen credentials

In May 2022, Digital Shadows (now ReliaQuest) published a research report on account takeover (ATO), analyzing more than 24 billion credentials collated over the past years to portray a picture of this endemic issue for individuals and organizations alike. In this paper, we highlighted three main things that enable attackers to conduct said attacks: the ever-expanding digital footprint, human and technological limitations when it comes to secure authentication, and (once again) weak and exposed passwords.

Stolen credentials can be obtained in a myriad of ways, including social engineering and malware deployment. However, the most common way to obtain credential pairs is buying them through a dedicated cybercriminal marketplace, forum, or automated vending cart (AVC). 

As you can see in the example below, during our research we identified multiple advertisements of raw logs that were stolen using the “Redline” malware. This malware collects information from browsers such as saved credentials, autocomplete data, and credit card information. At the same time, it harvests information about the compromised machine, such as operating system (OS) information, system hardware, process, language, and more.  

Example of raw logs pertaining to Qatar 2022 World Cup assets sold on cybercriminal forum

Buying similar logs can allow any threat actor to extract the credentials that the affected account’s owner may have entered on their machine when Redline was operating. Once in control of a user’s credentials, the attackers can access said account most of the time, unless proper defenses like multi-factor authentication (MFA) were previously put in place.

Hacktivist threat

Throughout 2022, we’ve observed a significant resurgence in hacktivist operations, due to the outbreak of the Russia-Ukraine war that started in February 2022. Since then, several pro-Russian and pro-Ukraine hacktivist groups have conducted a series of cyber attacks to disrupt their adversaries. Most of the observed attacks were crowdsourced distributed denial of service (DDoS) attacks, website defacements, and data destruction operations. 

Monitoring for communication channels devoted to the organization of similar operations can go a long way in mitigating potential hacktivist attacks. As you can see in the example below, in 2014 some threat actors preferred internet relay chats (IRCs) to organize DDoS attacks. Nowadays, most of the high-profile hacktivist groups—such as the pro-Ukrainian “IT Army of Ukraine” or the pro-Russian “KillNet”—prefer using platforms like Telegram to prepare cyber attacks and distribute targets.

Example of how threat actors organized DDoS in occasion of the FIFA World Cup Brazil 2014

Monitoring social media posts can also provide crucial insight on hacktivist operations. Contrary to financially-motivated threat actors and espionage-focused APTs, hacktivist groups need to claim their attacks in order to give resonance to the ideological message they’re putting forward. This means that they frequently advertise their operations on open communication channels, favoring attribution efforts and—in some cases—also supporting remediating strategies.

Anonymous protesting against Iran’s participation at the Qatar 2022 World Cup

Given the high level of activity carried out by hacktivist groups in 2022, it is realistically possible that said groups will target the 2022 Qatar World Cup to some extent. Hacktivist groups could target the organizers or the sponsors of the tournament, and may do so using DDoS, defacement, or data destruction attacks.

Ransomware and Initial Access Brokers

Last but not least, Qatari and foreign organizations responsible for organizing this tournament, may also be targeted by ransomware attacks. Ransomware is arguably the most relevant cyber threat for many companies at the moment, given the significant number of cybercriminal groups conducting this activity and the damage caused by these attacks. Although we observed ransomware activity slowing down in Q3 2022, numerous high-profile attacks impacted organizations in the past months, confirming the ransomware role in the current cyber threat landscape. If you’re interested in a regional and industry breakdown of all things ransomware observed in the past quarter, check our Q3 2022 ransomware blog.

The “LockBit” ransomware group names a Qatari victim on its data-leak site

Other threat actors that should be closely monitored ahead of the Qatar 2022 World Cup are initial access brokers (IABs). In the complex ransomware ecosystem—one made of operators, developers, affiliates, and more—IABs act as middlemen in establishing and selling exploited accesses into various networks to other cybercriminals. Given the fact that the ransomware criminal business is arguably one of the most profitable ones in this particular market, IABs and ransomware groups have often gone hand in hand. Monitoring for IABs listings can give organizations an edge in proactively mitigating against this threat and preventing ransomware and other cybercriminal endeavors.

User advertises Citrix access to a Qatari organization in the high-profile Russian-language cybercriminal forum Exploit

It’s time to update your threat model!

Now that we have discussed some of the critical threats to the Qatar 2022 World Cup organizing bodies and their key partners and sponsors, you may ask yourself “Should I be worried about this?”. The answer to this question—one asked on a daily basis about the wildest array of threats—is quite simple and involves taking a risk-based approach to these issues. 

A risk-based approach enables your organization to adapt its cybersecurity program to specific needs and vulnerabilities by considering the potential impact of a certain phenomenon and its likelihood. As such, along with observing the main threats, it is essential to analyze the motivations and capabilities of the actors that could potentially conduct malicious campaigns against you.

Conducting this analysis well ahead of massive events like the Qatar 2022 World Cup will allow your organization to plan ahead and proactively defend against these threats. Taking a risk-based approach will also enable your organization to effectively prioritize threats and allocate (limited) resources accordingly, strengthening the robustness of your defenses. 

Implementing simple cyber hygiene strategies can go a long way in preventing cyber risks for your organization. Here are some of the most common steps that can be taken by people and organizations to increase their security posture:

  • Take a risk-based approach to review potential threat actors and their TTPs. Distribute your resources accordingly and update your threat model as the landscape evolves.
  • Be careful with what information is shared online or on social media. Disclosing things such as pet names, schools attended, family members’ names, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
  • Avoid clicking on anything in an unsolicited email or text message asking you to update or verify account information. Independently search for the company’s official contacts and call them to verify the legitimacy of their request. 
  • Carefully examine the email address, URL, and spelling used in any correspondence. Threat actors use slight differences to trick your eye and deceive you into doing actions that help their goals.
  • Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it. Although MFA is not a silver bullet against threat actors, this security method can be extremely helpful to offset lazy and opportunistic cybercriminals.
  • Update and patch firmware and operating systems with the latest patches ahead of the beginning of the event. Leveraging software to detect, identify and prioritize vulnerabilities can relieve this process.  
  • Make sure you only use legitimate app stores such as the Apple and Google stores when downloading applications. Also, ensure you review security and access permissions granted to these programs. 

Whether you’re concerned about impersonating domains, fraudulent social media pages, or chatter in cybercriminal forums, Digital Shadow has got you covered! Our platforms can help you quickly identify cyber threats targeting your organization, allowing you to remediate them before they cause serious damage to your business. Interested in seeing how it works? Feel free to join us in a free demo request of SearchLight here. Additionally, you can get a customized demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) to gain visibility of your organization’s threats and potential exposures, including access to a finished threat intelligence library with MITRE associations and mitigations from Photon Research.