What do the FIFA World Cup and the holiday shopping season have in common? We know that the FIFA World Cup is a gift to soccer fans around the globe, but the other thing this every-four-year event has in common with the holiday shopping season is that it seems to have inspired a surge in phishing activity.

In fact, there has been a heightened increase in the volume and sophistication of phishing campaigns in recent weeks. Some of this uptick is typical of a ramp up into the holiday season, but this alone does not appear to adequately account for the increased activity. The politically charged global event that is the FIFA World Cup is providing an even larger target of opportunity for threat actors that is only adding to this surge of phishing.

Phishing toolkits level the playing field

Phishing has always been a favorite of bad actors, used as an Initial Access tactic because it works, almost without fail. While many phishing attacks are launched by relatively amateur cybercriminals, this year we’re seeing a clear increase in the number of phishing campaigns that can be classified as using advanced and complex techniques.

Advancements in phishing panel capabilities over the years — essentially, phishing toolkits available in the wild – has lowered the barrier to entry for less sophisticated threat actors, enabling them to operationalize advanced techniques that were previously beyond their grasp. There was a time when the Multi-factor Authentication (MFA) security solutions used by many companies would have been too difficult for the average cybercriminal to circumvent. Now, the widespread availability of phishing toolkits has made MFA bypass much easier and leveled the playing field a bit, putting more sophisticated phishing methods within easy reach of all threat actors. Recorded Future has reported that there are “More than 1,200 phishing toolkits capable of intercepting 2FA detected in the wild”.

Punycode (what???) a popular technique for sophisticated attacks

What, you ask, is punycode? According to the Kaspersky encyclopedia, “Punycode is a special encoding for converting Unicode characters in different languages to ASCII. It is used to correctly transcode a domain name containing non-Latin characters into addresses that comply with DNS standards.” (Another definition and some good examples can be found here.)

Punycode is considered an advanced phishing technique because it requires some depth of planning and infrastructure maintenance that make a threat actor have to go beyond just registering the domain and deploying a phishing panel, for example. Krebs On Security published an article on this topic on November 16, 2022 providing details around a phishing campaign organized by a threat actor known as “Disneyland Team”. In this reported example, the threat actor targeted the company Ameriprise by using a domain that visually looked almost identical to ameriprise[.]com, but was actually punycode and the domain actually was “xn--meripris-mx0doj[.]com” underneath. Disneyland Team operators used these punycode domains to steal money and credentials from their victims via Gozi / Ursnif malware. They also used web injects and pre-configured overlays of the banking sites to manipulate their victims’ browser display and bypass MFA.

Evidence of sophisticated techniques being put to use

In another phishing campaign written about by PIXM researchers on November 21, 2022, threat actors experienced an unusually high rate of success bypassing MFA in a four-stage attack that targeted major cryptocurrency platforms. The phishing started much in the typical way with a phishing site designed for credential harvesting that victims were directed to. Logging in to the phishing site would turn into a notification of fraudulent activity that would put the victim in a chat with the threat actor, which would lead to further remote access and theft of the victim’s funds while they were in the chat and under the pretext that their fraud issue was being resolved.

On November 16, 2022, Akamai Security released a blog about a highly sophisticated phishing campaign as well. This campaign imitated various retail brands and used holiday-themed lures to obtain financial information from victims. URI fragmentation* was used and is considered a novel and advanced technique that circumvents the effectiveness of URL filtering. This campaign also used URL shorteners to evade other security controls, fake user profiles and testimonials, and content delivery network (CDN) functionality. All of this added a sense of urgency, trust and legitimacy to the campaign.

The phishing pages were also updated according to the victim’s location and what was displayed was throttled based on undesired access, which assisted in preventing discovery by security researchers.

Where does the FIFA World Cup come in?

It’s logical to assume the trend in phishing campaigns targeting holiday shoppers will only continue to climb as the holiday season gets closer. However, on top of this usual trend and increase in relative sophistication, the observed increase in phishing related to global events, such as the ongoing FIFA World Cup, has made this 2022 season even more challenging.

New research from Trellix provides some insight into the FIFA World Cup phenomenon. Many of these phishing emails aim to appear from the FIFA help desk or similar office. Some claim to be about bans implemented by FIFA or other politically charged topics. This increase in activity around such a global event is not out of the ordinary in itself. However, the Qatar government has attempted to make it mandatory for attendees to download certain mobile apps suspected of being data harvesting vectors and not overly secure either.

A search for stories about whether the FIFA World Cup has had an influence on a rise in phishing attacks will return more results than most people can find the time to read. Even as early as November 2021, security researchers were seeing evidence of phishing scams tied to the 2022 FIFA World Cup, and email phishing attacks targeting people in the Middle East doubled in October 2022.

Enjoy the game and the holiday season, but be wary

It’s a shame that unifying global events and the holiday season are marred by increased cyberthreat activity. No person and no organization are immune from phishing scams and the sophisticated techniques being used by threat actors can fool even the most tech-savvy consumer.

Those of you working on the front lines of cybersecurity are challenged this year more than ever as attackers leverage new toolkits, technologies and techniques. If you’re working with a security services provider, make sure they’re savvy to the newer tactics being used by threat actors and can help you identify and mitigate real threats before they can turn into successful phishing expeditions.

Phishing resources to explore:

*According to Wikipedia, “a URI fragment is a string of characters that refers to a resource that is subordinate to another, primary resource. The primary resource is identified by a Uniform Resource Identifier (URI), and the fragment identifier points to the subordinate resource.”