Two phishing campaigns have been targeting consumers of both the FIFA World Cup and one of its longtime partners, Adidas. One campaign attempts to lure victims into clicking on a malicious link under the guise of downloading a World Cup schedule of fixtures and a result tracker, while the second promises a “free” $50-per-month subscription for Adidas shoes.
Today Check Point announced that it has discovered a new phishing campaign linked to the start of the World Cup that targets soccer fans. A known malware that is often used to install potentially unwanted programs (PUPs) and toolbars, adware or system optimizers called DownloaderGuide is embedded in the attachment. Researchers discovered nine different executable files delivered in emails with the subject: “World_Cup_2018_Schedule_and_Scoresheet_V1.86_CB-DL-Manager.”
First identified on 30 May, Check Point said the campaign peaked on 5 June but has re-emerged since the start of the games. “Events that attract huge amounts of popular interest are seen by cyber-criminals as a golden opportunity to launch new campaigns,” Maya Horowitz, Check Point’s threat intelligence group manager, said in today’s press release.
“With so much anticipation and hype around the World Cup, cyber-criminals are banking on employees being less vigilant in opening unsolicited emails and attachments. As such, it is critical that organizations take steps to remind their employees of security best practices to help prevent these attacks being successful," Horowitz said.
The second phishing campaign, which targets Adidas customers, uses a different tactic, luring victims in with a homographic link that uses a vertical line in place of where the “i” in Adidas should be. “The use of punycode-based homoglyph email and web domains are an increasingly used technique to spoof users in email phishing attacks,” said Matthew Gardiner, cybersecurity expert, Mimecast.
“Given the thousands of possible iterations of a domain that are now possible with these internationalized domain names and the thousands of available top-level domains that are also available, such as .co, .cf, .ml and many others, there is no possibility of preregistering these domains to keep them out of the hands of the bad actors. The only reasonable approach is to have automated email security controls to detect these types of impersonation attacks to protect your organization. Expecting your users to figure it out is increasingly unrealistic,” Gardiner said.