IBM Warns That Spammers Once Again Taking Aim at FIFA World Cup

As the 2018 FIFA World Cup kicks off, so too are spammers' efforts to trick unsuspecting users into clicking on malicious links and malvertising.

Among the most popular sporting events in the world is the 2018 FIFA World Cup, which runs from June 14 to July 15 in Russia. The popularity of the World Cup has long been a magnet for spammers and so far the 2018 event is no exception.

IBM's X-Force has been tracking the FIFA World Cup 2018 and has already seen multiple types of email scams, spam and phishing attacks launched against unsuspecting World Cup fans. Among the scams IBM has seen already are fake notifications for prize winnings linked to FIFA sponsors as well as fake product sales.

"It is very common for spammers to take advantage of large scale sporting events and similar activities, as they know the excitement for fans surrounding these events lead to more eyes on their emails and potential victims," Dirk Harz, Research Content Security at IBM X-Force, told eWEEK.

Attackers taking advantage of the FIFA World Cup is a phenomena that eWEEK has reported on for more than a decade. At the FIFA World Cup in 2006 multiple viruses disguised as information for fans snagged unsuspecting victims. More recently malvertising attacks were a significant issue that impacted the 2014 FIFA World Cup in Brazil. Though attackers are using the World Cup as a lure to entice victims into clicking on malicious links and emails, at this point Harz noted that the volume of World Cup -related spam is still only a small percentage of total spam volume.

"World Cup related spam only has a niche existence with respect to the overall spam volume over the past few months," Harz said. "We've been seeing typically less than 100 World Cup related spam emails per day, compared to nearly 20 million spam emails that hit our traps each day on average. "

While soccer is a global game, IBM's analysis shows that the majority (65 percent) of the spam was sent from IP addresses hosted in the United States, while 23 percent was dispatched from Italy and the remaining 12 percent from other countries. Harz said that a lot of the spam activity occurred at the beginning of April and the end of May, with volume tapering off in June so far. That said, Harz commented that World Cup related spam could increase significantly if a larger botnet like Necurs decides to pick up on World Cup themed spam.  

"It is common for these botnets to take advantage of seasonal trends and events, for example Necurs was sending a lot of dating spam around Valentines day this year," he said.

While unauthorized crypto-currency mining, known as cryptojacking, is among the most popular forms of cyber-attack in 2018, so far Harz said that trend has not been seen in World Cup related spam—yet.

"We checked a representative sample of URLs obtained over the last 30 days for evidence of crypto-mining, but so far we haven't found any indication that crypto-mining is being used in these campaigns," he said.

What to look out for

One of the techniques used by the spammers is to use the  official FIFA domain in the "From" header field, making it seem as though the email is legitimate. There is a security standard known as Domain Message Authentication Reporting and Conformance (DMARC) that organizations can use to prove email authenticity. Unfortunately, according to Harz, FIFA has not published a DMARC record for so far. However, FIFA has some elements of email security in place, Harz said.

"FIFA has set up special Sender Policy Framework (SPF) record, which is a building block of DMARC," Harz said. "For these campaigns, the SPF check shows that the senders IP does not match the IP from which FIFA send their emails, creating a soft fail. Typically, emails that return a soft fail are accepted, but tagged as potential spam."

Harz added that at this point from a technical point of view, the World Cup 2018 spam that IBM has tracked is not not very sophisticated.

"The overwhelming majority of FIFA related spam are phishing scams, which try to gain users personal information through winning notifications," Harz said. "By ignoring such emails and never opening attachments or links from unknown sources, these emails present no risk to the user."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.