Beware of WhatsApp Messages Offering Free Data

In Qatar, the 22nd FIFA World Cup began on November 20, 2022. This event sparked a new wave of cyberattacks. Threat actors targeted unsuspecting individuals with malicious activities that included the FIFA World Cup as a theme.

The popularity of the FIFA World Cup is being abused by a number of scams, according to Cyble Research & Intelligence Labs (CRIL), including crypto phishing attempts using fake FIFA airdrops, fake ticket sales, fraudulent giveaways, malicious Android apps, an increase in FIFA betting sites, and a lot more.

Scam Circulating On Whatsapp

CRIL researchers found scammers spreading messages on WhatsApp stating that FIFA is providing free 50GB bandwidth for everyone to view the 2022 FIFA World Cup in Qatar.

Particularly, the message contains a link that directs users to a scam website called “hxxp:/www.fifa-uj[.]top/,” which requests the user’s mobile phone and checks their eligibility for the free data.

https://i0.wp.com/blog.cyble.com/wp-content/uploads/2022/12/Figure-4-%E2%80%93-WhatsApp-message-claiming-FIFA-giving-50BG-data.png?resize=364%2C519&ssl=1
WhatsApp message claiming FIFA giving 50BG data
https://i0.wp.com/blog.cyble.com/wp-content/uploads/2022/12/Figure-5-%E2%80%93-FIFA-scam-site-offering-free-50GB-data.png?resize=752%2C516&ssl=1
FIFA scam site offering free 50GB data

The scam website requests users to forward the message to their WhatsApp connections after authenticating the phone number in order to take advantage of a 50GB data offer.

Also, the scam website displays the mobile verification page and offers other gifts, such as iPhones, and iPads, after forwarding the message.

Crypto Phishing Schemes

Researchers identified a few crypto phishing attempts using the FIFA World Cup theme while keeping a close watch on phishing activity.

“The phishing site “football-blnance[.]com” was pretending to be the Binance cryptocurrency website attempting to trick users into giving sensitive information by offering free Non-Fungible Tokens (NFTs)”, CRIL

Consequently, the phishing site displays the QR code when a user clicks “Connect wallet” to claim the NFTs, and the user’s wallet account will be compromised upon scanning it.

Another phishing website called “claim-fifa[.]live,” which is providing FIFA archive NFT packs, according to CRIL. Here, when the user clicks on the “CLAIM NFT PACKS” button, a QR code for connecting to the cryptocurrency wallet will show up.

Redline Stealer Malware Disguised As FIFA Game

According to the reports, The download link “hxxps://www[.]playskeep.com/fifa-23” hosted the Redline stealer impersonating as FIFA 13 cracked game. 

When a user clicks on the “FREE DOWNLOAD” button, the malicious website starts downloading the “FIFA 23 [Cracked].rar” file.

Android RAT Distributed Via Malicious Website Using FIFA World Cup Lure

The threat actors responsible for this malware set up a Facebook page called “Kora 442,” which people could visit and download a harmful application from.

The TA has linked the distribution link in the post on their Facebook page, stating “Follow the World Cup matches live on Kora 442 application”. Researchers say the distribution site is still active and infecting users with Android RAT.

Check the Legitimacy of Websites

“Threat Actors often take advantage of such global events or festive seasons to launch mass infection campaigns, and users may fall for these scams due to excitement and a lack of attention”,  According to CRIL

Therefore, before downloading files or providing any sensitive information, it’s essential to confirm the legitimacy of websites.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book

Source: gbhackers.com