Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Iran-Linked MuddyWater Poses as Ransomware Gang to Mask Espionage

June 25, 2026

CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

June 24, 2026

Researchers Trick AI Browsers Into Leaking Credentials

June 24, 2026
Facebook X (Twitter) Instagram
Thursday, June 25
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»Cyber Security»Thousands of Fake FIFA Domains Target World Cup Fans
Cyber Security

Thousands of Fake FIFA Domains Target World Cup Fans

Team-CWDBy Team-CWDMay 27, 2026No Comments2 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


More than 4300 fraudulent domains impersonating FIFA’s official web presence have been registered since last August, building a fraud operation aimed squarely at fans of the 2026 FIFA World Cup.

According to new analysis from Group-IB, the activity spans six fraud schemes and four independent threat actors working the same event at once.

Most of the domains sit dormant, ready to switch on as kickoff nears. The firm flagged a comparable surge of scam sites before the 2022 Qatar World Cup.

Cloned Site Pushed via Facebook Ads

At the center of the operation is an actor the company tracks as Ghost Stadium, which it describes as Chinese-speaking and profit-driven. It runs more than 300 phishing domains built on a single kit that reproduces fifa.com as an almost flawless replica, down to the site’s PingIdentity single sign-on (SSO) flow.

The pages pull FIFA logos and product images from the brand’s official content network so they look authentic while sidestepping image-matching detection.

Chinese-language notes left in the source code, alongside an interface that switches across 11 languages, including three Chinese variants, pointed investigators toward a Chinese-speaking developer.

Paid Facebook ads are the campaign’s main engine, with shared Meta tracking codes tying hundreds of domains back to the same advertising accounts.

A Wider Fraud Economy

Ghost Stadium is one of the four operators Group-IB identified. The others include a bulk domain squatter, a phishing-as-a-service (PhaaS) supply chain selling ready-made kits and broad infostealer campaigns built for credential theft.

Dominated by the Vidar and Lumma infostealer families, those infections have swept up around 2500 FIFA logins now trading on dark-web markets.

Read more on the infostealers fueling credential theft: Lumma Stealer Vacuum Filled by Upgraded Vidar 2.0 Infostealer

The money moves through several channels, including a cryptocurrency on-ramp that settles funds beyond recovery.

Group-IB estimates premium and hospitality ticket fraud alone could cost victims between $71m and $474m, and warns losses across the full campaign could reach into the billions.

For fans, the safest course is to buy only through fifa.com, treat any ticket offer that demands cryptocurrency as a scam and turn on multi-factor authentication (MFA) before the rush begins.

For brand protection and fraud teams, the firm advises watching the dormant domains for signs of activation and pursuing takedowns at the registrar level rather than chasing sites one by one.



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleWhat to consider before asking an AI chatbot for health advice
Next Article How OAuth Consent Bypasses MFA
Team-CWD
  • Website

Related Posts

Cyber Security

Iran-Linked MuddyWater Poses as Ransomware Gang to Mask Espionage

June 25, 2026
Cyber Security

UK Museums Face Cybersecurity Risks, MPs Warn

June 24, 2026
Cyber Security

Trump Issues Executive Order to Fast-Track Post-Quantum Migration

June 23, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Why you should never pay to get paid

September 15, 2025

How to tell if a voice call is AI or not

February 23, 2026

Can password managers get hacked? Here’s what to know

November 14, 2025

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.