Contributor: Sean Butler
As it’s the start of a Football World Cup year it’s only natural that we will see many campaigns in relation to this global event. There will be many marketing and promotional campaigns taking advantage of the hype and excitement surrounding this event. Amongst all of the legitimate marketing and promotion emails, you may also receive emails promising anything from free match tickets, to competitions and lottery prizes stating that you have won a car.
Sound too good to be true? Well, you would be right in thinking that!
Fraudsters will be looking to exploit the enthusiasm that comes with the FIFA World Cup, which will be taking place in Brazil this June. The ramifications of you being scammed could be very serious indeed. Not only could you become a victim of fraud by having your bank account emptied by these fraudsters, you could also end up with malware on your computer. This malware could do anything from stealing your personal details by downloading a Trojan, to compromising your computer and making it part of a botnet.
Symantec has already spotted several FIFA World Cup related scam emails. The first scam sample Symantec discovered, relating to the FIFA World Cup, is an email that contains a link to malware.
The email has the following headers:
From: Parabens Voce foi o ganhador de um Par de ingressos atendimento.promo5885631@Domain.com
Subject: Copa do Mundo FIFA 2014
This email header can be translated as:
From: Congratulation you were the winner of a pair of tickets atendimento.promo5885631@Domain.com
From: FIFA World Cup 2014
Figure 1. Malware attack email related to FIFA World Cup
This email can be translated as:
You are the winner of a pair of tickets to the FIFA World cup 2014 Brazil!
Print your e-Ticket copy and collect the ticket from the ticket center in your city
Check out the address of the ticket center in your city here
The recipient is enticed to click the on the link and print the match tickets. However, the link leads to a malicious URL that downloads the file eTicket.rar, which contains an executable file named eTicket.exe.
Figure 2. Clicking on the link leads to malicious download
Next, a file named thanks.exe (Infostealer.Bancos) is dropped in the following location so that it runs every time Windows starts:
The Trojan will continue to run in the background and try to evade security measures, steal confidential financial information, log the stolen data, and send it to a remote attacker at a later time. We have also discovered that the malware is customized to target Brazilian financial institutions.
Symantec customers would have been protected against this attack because our ‘Link following’ technology, which checks all Web pages referenced within an email for viruses and other threats, correctly identified the malware at the end of the URL. Detection was then created so that future emails containing different links to this malware will be treated as though they are infected and then quarantined.
Another scam involves a fraudulent CIELO Brazil promotion. CIELO is a Brazilian credit and debit card operator.
Figure 3. Phishing email related to FIFA World Cup 2014
This email can be translated as:
Congratulations, you have been chosen to take part in the Cielo Cup 2014.
To promote World Cup 2014, you must register to compete for prizes worth 20 thousand Reais,
Tickets, accommodation in exclusive places during the 2014 world cup and you could also win a Fiat Doblo 0 Km. (Sic)
Don’t waste time! PURCHASE Register right now at no extra cost and avail the benefits of our promotion.
Join this Mega Promotion and compete for these Super Prizes.
Click here to unlock your promo code
If the recipient clicks the “Click Here” button, they are redirected to the following URL:
The webpage asks for a username, date of birth, and a Brazilian tax registration number (CPF).
Figure 4. Spoofed Web page asking for personal credentials
On providing the required information, the user is sent to the page shown in Figure 5, which asks for the user’s banking credentials.
Figure 5. Spoofed Web page asking for banking credentials
On further analysis, we found that the domain conteudo.casavilaverde.com used in the phishing scam had been hacked.
Figure 6. Hacked domain used in phishing scam
Finally, the third example is a Nigerian scam.
Figure 7. Nigerian FIFA World Cup scam email
The email contains an attachment that claims to be about a lotto sponsored by major brands. The scam ultimately asks the recipient for personal information. The email also contains a notice to try and look legitimate, but this looks amateurish in comparison to the other examples referenced in this blog. There are no images or URLs contained within the email and the fact that it only contains an attached Word document would make anyone suspicious.
Symantec’s advanced monitoring systems were able to identify the above scam emails and protect our customers from receiving them.
While the first two example emails are composed in Portuguese and aimed at people in Brazil, they can easily be customized for different regions, countries, and languages. Considering the influence football has across the globe, such spam mail could potentially trick many people.
Global events can be very lucrative for scammers as they have the potential to scam more victims by appealing to peoples’ interest and curiosity. As a consequence, Symantec expects such scams to increase as we get closer to the 2014 World Cup.
Symantec advises users to be on their guard and to adhere to the following security best practices:
- Exercise caution when receiving unsolicited, unexpected, or suspicious emails
- Avoid clicking on links in unsolicited, unexpected, or suspicious emails
- Avoid opening attachments in unsolicited, unexpected, or suspicious emails
- Keep security software up-to-date
- Update antispam signatures regularly
Symantec constantly monitors spam attacks to ensure that users are kept up-to-date with information on the latest threats.
Don’t be caught offside when it comes to special offers, especially ones that look too good to be true!