The 2010 FIFA World Cup kicks off on June 11th in South Africa. As 32 countries warm up for this esteemed international soccer event, cyber criminals are getting busier, too. So far, Symantec has observed scam, phishing, and malicious attachment spam related to the 2010 FIFA World Cup. Of these, 419-scam messages stand out as major contributors. Below are two examples of typical 419-spam related to the FIFA World Cup: In many of the phishing samples spammers are targeting the Visa brand, which is one of the six global FIFA partners. Visa announced a “Go Fans” promotion offer in which card holders get the chance to win a trip to South Africa to experience the 2010 World Cup matches. Aware of the fan frenzy involved with watching live World Cup games, phishers are in the right (albeit criminal) business of trying to make money out if it. Below is an example of a phishing sample in which users are asked to fill in their Visa credit card details (such as name, credit card number, expiry date, security number, etc.) in order to register for the “Go Fans” promotion: If a user fills in all of the required information and clicks on the “Submit Registration” button, a fake handling code is generated to confirm a “successful” registration. In this phishing effort, the so-called handling code can be generated even with a blank form. We first observed FIFA-related scams way back in 2005 when the 2010 FIFA World Cup host country was announced. However, the message volume during the last couple of months has shot up. While tracking the prevalence of FIFA spam, Symantec analyzed the spam corpus for certain obvious words being used in various parts of the email (headers, body, or obfuscation text) such as “FIFA 2010”, “2010 FIFA”, “Football World Cup”, and “FIFA World Cup”. We found a rising trend, as shown in the graph below. Compared to the World Cup spam volume in April, the data up to May 25th shows an increase of approximately 27 percent: -------------------- Update (31 May 2010): Visa’s security team is actively working with the appropriate organizations to shut down this site. Visa also encourages consumers to visit http://usa.visa.com/personal/security/learn-the-facts/phishing.html, which contains helpful anti-phishing tips. -------------------- With three more weeks yet to go until the World Cup starts, we expect spam volume related to the World Cup to grow. There may be variations in the spam types, with offers of (fake) game tickets, malware distribution via fake videos purportedly showing highlights of the games, and fake FIFA product offers. Symantec has historically observed that spamming related to major sporting events such as this starts long before actual event. And, it will be no surprise to see spam related to the 2014 FIFA World Cup appear soon after the 2010 World Cup has finished. Users are advised to refrain from clicking on unsolicited email unless it is from authorized or official sources. Symantec is closely monitoring this trend and we will keep our readers updated. ========================== Note: Thanks to Saurabh Kulkarni, Paresh Joshi, and Rohan Shah for gathering data pertaining to this blog.