World Cup Brazil 2014: How cybercriminals are looking to score
by Fabio Assolini - Malware Analyst, Global Research and Analysis Team, Latin America, Kaspersky Lab - Tuesday, 10 June 2014.
Starting this week, 32 national teams and thousands of football fans will descend on Brazil for the 2014 FIFA World Cup. Right now the teams are fine-tuning their strategies in order to outwit their opponents - and so are the cybercriminals.

Cybercriminals are already using various attack techniques to exploit the World Cup theme, including fraudulent domains selling fake tickets, fake giveaways, and several phishing and malware campaigns. They are also using methods like credit card cloning and ATM scams to attack those attending the games in Brazil. These cyber attacks have only intensified as the tournament approaches and they all have the same end-goal: to steal your money.

One part of this story is the attacks that happen online. These include professional phishing attacks that use digitally-signed malware, malicious email scams, SSL-certified phishing domains and a lot of social engineering. Phishers are notorious for compromising a legitimate site and using it to host their malicious page, e.g., Professional phisher can even prepare an attack in such a way that the average user would find it very difficult to tell if a page is legit or not.

And that’s exactly what Brazilian phishers are now doing – registering domains with names of well-known local brands, usually credit card companies, banks, online stores, etc. These phishing domains had a very professional look and feel and in Brazil alone, Kaspersky Lab is detecting and blocking on average about 50-60 domains like this per day. But aren’t the only ones exploiting the theme of the World Cup – these attacks are appearing elsewhere in different languages and with different targets.

The phishers have not stopped there: they have also registered domains and started buying SSL certificates from Certification Authorities such as Comodo, EssentialSSL, Starfield and This results in phishing domains with a ‘verified’ SSL certificate, which are often challenging for an ordinary user to recognize. To make matters worse, phisher also create fraudulent pages in mobile formats, so they can steal data from users who clicks the link on their smartphone.

Digitally-signed, but malicious

Leading up to the World Cup, Brazilian cybercriminals are buy SSL certificates and creating campaigns that distribute digitally-signed malware. These files often appear in messages that say a person has won a ticket to a World Cup match. Then to “claim” the ticket, the person is asked to download the ticket to pring. However, the link points to a digitally-signed Brazilian Trojan banker like Trojan-Banker.Win32.Banker.bplh.

Breached database, personalized attack

Cybercriminals are also sending personalized emails supposedly sent by a well-known online ticket sales system also informing people that they’ve won a ticket to a World Cup match. These emails include personal data such as names, dates of birth and addresses. The information was allegedly taken from a breached customer database of unknown origin. These messages also point to a website that asks users to download a file, which turns out to be yet another Trojan banker.

The other part of the story involves attacks that happen to those attending a World Cup match. These happen most commonly on corrupt ATMs and Point of Sales (PoS) devices in Brazil. This country has some of the most creative criminals specializing in credit card cloning, using skimmer devices, fake signage and, of course, a lot of malware.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th