Group-IB: 2018 FIFA World Cup Fans Should Remain Astute to Online FIFA Scams

Group-IB, the leading provider of intelligence-driven cyber-security, is urging 2018 FIFA World Cup fans to remain astute to rising fraudulent ticket and counterfeit merchandise sites using the 2018 FIFA World Cup trademark. In the last year leading up to the event the number of domains registered which could be used for malicious purposes has risen 37% and is still climbing. In total, over 37,000 such potentially malicious domains have been registered.

The first trigger was when Group-IB was contacted by an external party who had fallen victim to Internet fraud and not received goods that were purchased. Upon investigation, the site in question was found to be related to a group of resources, including websites designed to sell tickets to multiple events and domain names related to the World Cup 2018.

Triggering our interest, Group-IB using their threat intelligence and brand abuse systems analyzed all domains hitting on the combination of ‘FIFA’, ‘Russia’, ‘WorldCup2018’ and other such keywords generating literally thousands of results.

Growth in the number of domains connected with the FIFA brand, 20 years (Group-IB, 2018)

The first such domains appeared as early as 1996 and is notable that they still exist. The majority of the resources appeared following the announcement that Russia would host the 2018 FIFA World Cup (Dec 2010) while others have only recently surfaced.

A growing threat: dynamics of new domains connected with the 2018 FIFA World Cup

Investigating the results of Group-IB Threat Intelligence and Brand abuse systems, Group-IB experts record annual growth in the number of potentially fraudulent domains – in total approximately 37,000 at the time of writing this article. A sharp increase began in 2014 with 3,000 names being registered, followed by 4,000 in 2015, 5,500 in 2016 and 13,500 in 2017.

At least 1,500 domains are designed to specifically target the 2018 FIFA World Cup in Russia blatantly using the event name, host cities, year, and other details. Company experts note that some domains are already active, while others are registered, but currently do not host any content.

This situation, however, is not necessarily unique. Group-IB’s experience protecting the 2014 Sochi Winter Olympics displayed that the activities of fraudsters drastically increased as the event got closer. Even if the domain is inactive, but registered, it is a real risk to the company and would be fans. If a domain is registered with prepaid hosting, a phishing page designed to collect credentials, or sell tickets can be created and promoted in just a few hours. It is essential that organizations monitor for such registrations and take action on them before they become an issue.

Andrey Busargin

Brand Protection Director at Group-IB

How online fraudsters make money out of large-scale events: main stages in organization of phishing attacks (Group-IB, 2018)

Riding the Hype

Analyzing the situation, Group-IB specialists can identify a number of types of fraud. Some websites and ads offer tickets with a surcharge of more than 600%. See below screenshots:

Screenshot of a ticket offer on etickette.com and ticket2018.com. First-category ticket costs up to USD 6, 692,
while the highest price on the official FIFA website is USD 1,100. (Group-IB, 2018)

Screenshot of an ad on Avito and eBay with a photo of tickets for the World Cup final (Group-IB, 2018)

In some classified ads, there are pictures of legitimate looking tickets, while according to FFIA rules they will only be delivered beginning April 2018. When we contacted the owners of websites selling tickets, they acted cautiously. They offered to sign a contract and pushed for 100% payment, but warned that tickets would only be delivered in April 2018 when they are released. Additionally, they indicated that the contract would not mention the purchase of tickets specifically for 2018 FIFA World Cup. Group-IB Brand Protection experts also reviewed advertising and identified unauthorized advertisements pushing ‘customers’ to unofficial resources when searching for “2018 FIFA World Cup Tickets”, “WorldCup 2018 Tickets” and other such keywords.

Illegal sellers are also preparing to the event. The number of offers connected to queries with the 2018 FIFA World Cup has increased 12 times, from 336 to 4,200 ads in just 3 months. The most common add offers merchandise, such as coins, T-shirts, pendants or mascots.

In addition to classified ads, social media sites are becoming more active. At present, there are 200 active groups on VK.com (the Facebook equivalent for Russia) which abuse the 2018 FIFA World Cup brand or sell merchandise. Some groups offer help to purchase tickets.

An example of a group in VK.com offering help purchasing tickets to the 2018 FIFA World Cup (Group-IB, 2018)

Total number of offers connected with the selling in online classifieds of illegal promotional merchandise with 2018 FIFA World Cup symbols (Group-IB, 2018)

It is essential to track dormant domains, even if they do not present an issue at the moment. Given examples of existing websites is indicative that not enough is being done to protect the 2018 FIFA World Cup brand, or Foreign or Russian fans. That said, the positive takeaway is that it is possible. Leading up to the 2014 Winter Olympics in Sochi, Russian specialists managed to eliminate over 1,500 incidents of illegal ticket distribution on 80 websites. Furthermore, over 335 cases of illegal brand usage were resolved including those on Facebook, VK.com, Avito and eBay.

We should also note that Russia has a special federal law prohibiting the use of FIFA symbols and the selling of tickets by organizations without a contract with the FIFA or its authorized organizations.

About Group-IB

Group-IB, with its headquarters in Singapore, is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property. The company’s Threat Intelligence and Research Centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), and Europe (Amsterdam).

Group-IB’s Unified Risk Platform is an ecosystem of solutions that understands each organization’s threat profile and tailors defenses against them in real-time from a single interface. The Unified Risk Platform provides complete coverage of the cyber response chain. Group-IB’s products and services consolidated in Group-IB’s Unified Risk Platform include Group-IB’s Threat Intelligence, Managed XDR, Digital Risk Protection, Fraud Protection, Attack Surface Management, Business Email Protection, Audit & Consulting, Education & Training, Digital Forensics & Incident Response, Managed Detection & Response, and Cyber Investigations.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 19 years of hands-on experience in cybercrime investigations worldwide and more than 70,000 hours of cybersecurity incident response accumulated in our leading DFIR Laboratory, High-Tech Crime Investigations Department, and round-the-clock CERT-GIB.

Group-IB is an active partner in global investigations led by international law enforcement organizations such as Europol and INTERPOL. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to protect its clients in cyberspace every day by creating and leveraging innovative solutions and services. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.