Game on: Detecting Cyber Threats at the FIFA World Cup


As with other major sporting events, the 2018 FIFA World Cup has not only attracted spectators worldwide but a legion of cyber threats targeting fans of the tournament. It’s not surprising, as other recent events such as the PyeongChang 2018 Winter Olympics have had verified malicious campaigns targeting organizers and participants.

In fact, our research team at CyberInt has discovered a multitude of threats surrounding the 2018 FIFA World Cup event. Highlights of our findings include:

  • During June 2018, 797 registered domains using FIFA-related terminology hosted the following problematic websites including: 175 parked domains, 76 unofficial streaming video sites, 32 unofficial merchandise sites, 12 suspended hosting accounts, 11 gambling sites, and 9 other suspicious sites.
  • An average of 55 domains are being registered per day during July.
  • Most, if not all of the video streaming sites, redirect to suspect ‘download’ sites.

Game On Detecting Cyber Threats At The FIFA World Cup_image

A Breakdown of Popular Malicious Activities:

Parked Domains

Search engine optimization (SEO) techniques are often used to increase traffic and allow the registrant to monetize site visits. These domains could be compromised or used later for other malicious purposes. On the bright side, these sites are classified as low reputation sites that many web security solutions will block.

Unofficial Streaming Sites

These World Cup themed sites claim to stream matches for free. However when clicking on ‘Start watching for FREE!’, it will appear to buffer but then redirect to a payment portal. The payment portal has a low reputation and is possibly a fraudulent click-bait. One example of these is with an estimated 20k+ unique visitors per day. It appears as a U.S. based company, but contact information is in Slovakia. There are reports from users being charged $56 by EONSMEDIA.

Unofficial Merchandise Sites

With the intention of looking official, these unofficial sites are potentially selling counterfeit merchandise or non-existent goods. Sites are promoted using spam comments with links in legitimate websites and forums.

Suspended Domains

Hosting providers have suspended some domains for reasons that could include: the content was found to be malicious, or Whois data is inaccurate such as a fake email address.

Gambling Sites

Numerous gambling sites related to the World Cup have been found to be illegal. In these cases, there is no legal protection for wagers placed on these sites. Many also advertise support for cryptocurrency transactions. Dark Web Marketplace advertisements have been found on DreamMarket and Olympus Market for bets on the World Cup final using cryptocurrencies for payment.

Other Suspicious Sites

Other World Cup themed sites actually redirect to porn sites and sites offering ‘fake’ software downloads. Similar to the parked domains, these sites are likely using SEO techniques for increased traffic and could be compromised for other malicious purposes. Some sites are offering ‘free’ mobile data packages. When a visitor submits their personal information, they must share the website to at least 15 WhatsApp contacts to redeem the offer. These sites are likely harvesting personal information for resale or other campaigns such as spam or phishing scams.

Looking Ahead

Although the FIFA World Cup is the major sporting event of the moment, cyber security experts are already looking towards future major sporting events. 

The Tokyo Olympics promises to showcase cutting-edge technologies to the world. With plans for a robot village, instant language translation apps and devices, and autonomous taxis, cybercriminals will have a plethora of new avenues for their malicious activities. Although phishing sites that sell fake entry tickets, ransomware, and threat actors trying to steal intellectual property are expected, caution and preparation for attacks that cause damage to critical infrastructure should be appropriately prioritized.


Uncover your compromised credentials from the deep and dark web

Fill in your business email to start