FIFA Domain Squatting

Soccer (Football) Fans Being Targeted by Advanced Cyber Threat Actors

The Fédération Internationale de Football Association (FIFA), the sport’s global governing body uses the official domain:  www.fifa.com.  Threat analysts have recently identified several domain squatting efforts using the following registered domains:

  • fifa.com.co
  • fifa-rules.25u.com
  • fifaregionalprojects.org
  • fifa2015fifa.publicvm.com

SatelliteLinksThe domain fifa-rules.25u.com has been previously identified as being associated with the Turla Advanced Persistent Threat  reported on by the researchers at Kaspersky.

A Chinese-registered LLC known as TwoStooges LLC is the threat actor that is the subject of a legal ruling at the National Arbitration Forum.  This is the same threat actor that is responsible for the registration of the fifa.com.co domain squatter.

A Nigerian scam artist by the name of Modestus Chukwuezi using the email address of mod5ino6@gmail.com is the party responsible for registering fifaregionalprojects.org

Most pernicious of all is the backdoor that is hard-coded into fifa2015fifa.publicvm.com identified by 25 of 56 anti-virus research firms to be malicious ( VirusTotal SHA256 detail ).

Researchers at the Sports-ISAO urge sports fans to avoid going to these sites.  IT professionals protecting the networks of soccer teams should blacklist the aformentioned domains.

You must be logged in to post a comment Login