You have NOT won! A look at fake FIFA World Cup-themed lotteries and giveaways

With the 2018 FIFA World Cup in Russia just days away, fraudsters are increasingly using all things soccer as bait to reel in unsuspecting fans so that they get more than they bargained for.

ESET’s researchers have detected a number of spam emails that are intended to take advantage of the increasing attention that the coming global event is attracting. Bouncing around the internet via social media, email and other messaging apps, the deceptive missives rely on well-known social-engineering techniques in a bid to swindle victims out of their money.

As a follow-up to our coverage last week of some scams that prey on internet users around a global event like the FIFA World Cup, let us now look at some of the examples of fake lottery and giveaway campaigns that are doing the rounds recently.

Figure 1: One example of a recent lottery scam

This is a very simplistic version of a classic ploy that fraudsters have long deployed around large events: you are apparently informed that that you’ve won a lottery and that, to claim your winnings, you need to get in touch with the lottery’s organizer. In this case, the details, however sparse, arrive in the body of a rather sloppily written email message that, nevertheless, trades on any goodwill the reader may hold for FIFA and Google.

In similar scenarios, the crooks will urge you to open an attached file, most commonly a PDF or Word document, in which you’ll learn about your “winnings” and how to contact the organizers in order to claim your “prize”.

Figures 2 and 3: An email and its attachment

As is their wont, these emails and documents may be worded to evoke a sense of urgency, asking you to act within a limited number of days so as not to lose your “prize”. To boost their aura of legitimacy, the emails are full of references to official and/or bogus but “official sounding” organizations. The messages may even contain official-seeming seals, although in some cases the scammers settle on extremely simple visuals.

Figure 4: Another fake lottery win announcement

Regardless of whether their wording and appearance are simplistic or elaborate, the campaigns have the same objective. After the victims have dutifully responded and provided their personal information, the plot is likely to thicken. Following the typical script of advance-fee fraud, the recipients are typically persuaded that they need to pay a fee in order to release their prize. The scammers may also try to convince their victims to pony up for more and more money – until the victims realize their mistakes and give up.

In addition, by replying to the initial message, victims are confirming to the fraudsters that the email address is being used by an actual person – and they needn’t even provide any additional details beyond their email addresses. That way, they’re setting themselves up to be bombarded with yet more spam and possibly other threats, be it from the same gang or from other scammers who may buy lists of active email addresses from their peers.

Another tried-and-tested trick is to promise free trips to the World Cup with the con artists posing as one of FIFA’s partners. Figure 5 illustrates this, targeting Brazilian fans while posing as an offer from VISA.

Figure 5: Scam targeting Brazilian fans

Here the scammers are trying to bamboozle the target into entering a contest for an all-expenses-paid trip for two to Russia. All that the recipient needs to do in order to be eligible for the competition is to register and make a small purchase. Past experience has shown that the presence of spoofed official branding is enough to help deceive many people into handing over their personal information. Brazilian users of messaging platform WhatsApp have been the target of another, similar campaign that we covered earlier this week.

As ESET Security Researcher Miguel Ángel Mendoza notes, “the traps also include sales of fake match tickets, false news, or links to malicious sites that can be a gateway for malware or other threats. Phishing scams are also common.”

Indeed, beyond luring you into providing your personal information on a phishing website, an attacker may also send you a message that links to a site that generates revenue by bogus advertisements or that serves up malware via a drive-by download. Using the latter technique, users’ machines may be compromised simply by visiting such a site, as the malware burrowing into the site’s code exploits a software flaw, usually in the browser or a plugin, and installs itself on vulnerable machines. This enables the criminals to steal users’ personal information or to enlist these machines in a botnet, among other unfortunate consequences.

ESET researchers have also seen questionable domain name registrations. While these domains are either not currently in use, or are parked on low-cost hosting services, many seem likely to be laying in waiting for future questionable use.

The importance of staying on top of social engineering tactics used by scammers cannot be overstated, says head of ESET Awareness & Research for Latin America Camilo Gutiérrez. “The more educated we are as users, the harder it will be for the attackers to spread their deceptions and make them effective,” he said.

To be sure, the above is just a sample of the ways in which fraudsters are trying to get soccer fans to part with their personal information, money, or both. The high season for World Cup-themed fraud is just getting going as we get closer to the actual event. You need to stay on top of your game, so that you can enjoy the coming soccer spectacle without getting caught in an “offside-trap”.

written by Tomas Foltyn, ESET We Live Security


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s