Spam and phishing mail

The Brazilian Phishing World Cup

Table of Contents

The 2014 FIFA World Cup has already kicked off, at least for Brazilian bad guys. Next year’s big event in Brazil has become one of the most prominent tactics used by Latin American cybercriminals as they unleash a real avalanche of phishing messages, fraudulent prizes and giveaways, malicious domains, fake tickets, credit card cloning, banking Trojans and a lot of social engineering.

Indeed Brazil figured among the top five countries where users risk being caught ‘offside’ by phishing attacks, according to a recent study conducted by RSA and released in January. The country is in fourth place, along with the UK, USA, Canada and South Africa. So it’s no big surprise to find four Brazilian brands in the Top 10 most targeted on PhishTank stats.

Offers range from alleged cash prizes, trips and tickets to watch the games, while the attacks involve massive phishing mailings, and, to add spurious credibility, stars of the national soccer team have been ‘signed up’ by the conmen. Here’s one example featuring Neymar, the latest Brazilian hero to be dubbed the new Pelé:

“Win a new car, cash prizes and tickets for the World Cup, just click and subscribe now”

Other messages use the image of famous TV host and actor Rodrigo Faro:

The official mascot of the event also makes the first team. Here a malicious message with Fuleco:

“You are a finalist to win our prize and watch Brazil’s games”

To deceive their victims, all the websites and domains used in these attacks have very professional designs. Here’s another example using Neymar’s image:

And this one, which is supposed to be a “World Cup Portal”:

These malicious websites all share a common goal – stealing credit card data. They ask for the full card number (including CVV), personal data and the CPF (the Brazilian social number). Several domains were registered recently, all of them using the words “Copa”, “Mundial” (World Cup) and “Promoção” (Giveaway). Some examples:

But phishing isn’t the only game plan in use: several Trojan bankers distributed by the same bad guys are using football-inspired names to sell victims a fake and get them to open the files:

Did you open a file called “FIFA-tickets.exe”?

Even if you can’t wait for the World Cup itself, there’s a warm-up event to exploit. The Confederations Cup, which will be held next June and whose tickets are now on sale, is also spearheading cyberattacks. Neymar pops up again here, purportedly offering you a free ticket:

To marshal your defense against all these malicious websites, our anti-phishing module is trained to block any opponent – even if it comes with a picture of Neymar. And we urge all users to be ready to show these messages the red card.

For the Brazilian phishers, the World Cup has already started. But while most punters will be backing their favorite team at the bookies and hoping to make money that way, the bad guys couldn’t care less who wins the cup. They hope their ugly scams around the beautiful game will net them plenty of cash, regardless of the final score.

Update: The real tickets for World Cup matches go on sale in the 2nd half of 2013. More information here.

The Brazilian Phishing World Cup

Your email address will not be published. Required fields are marked *



GhostEmperor: From ProxyLogon to kernel mode

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor.

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

Subscribe to our weekly e-mails

The hottest research right in your inbox