Buying a fake World Cup ticket isn’t the only scam that awaits the unwary footie fan online. As the tournament in South Africa reaches its climax and excitement mounts in the lead up to the final, fraudsters are continuing to augment their attacks with a variety of World Cup-related email ruses. Supporters will need a sharp defensive line-up to keep them out.
Despite FIFA’s stringent rules about distribution and resale, there are still World Cup tickets on offer from unauthorized online outlets. Some of these will be old-fashioned touts using new channels to sell tickets at higher than face value. Some will be genuine people who bought tickets and now can’t go, but are unaware of the resale rules (which state that tickets can only be transferred to another named person with FIFA’s permission). And some will be outright fraudulent: the tickets are forgeries or don’t exist at all.
The end result for the ardent fan is the same: they risk flying themselves to South Africa at great expense only to find they are refused permission to the stadium.
The sale of forged, illegitimately resold or non-existent tickets is one of the most visible and conventional online World Cup scam and one which has been well-publicized so far. But the criminals who deal in email spam also know the tournament presents them with a good opportunity too.
World-Cup related email scams fall into three broad categories – conventional spam, advance-fee fraud, and malware droppers – each less prevalent but more damaging than the last. And a subset of the malware dropper scam – targeted attacks – can be truly devastating.
Conventional spam
To avoid detection by spam filters, spammers often ‘scrape’ random text from news websites to pad out the subject line and body text of the spam email. Hence the largest volume of World Cup-related spam is pretty much the same as it would be with any topical global event, whether it’s Christmas, the Haitian earthquake or the death of Michael Jackson. The World Cup is in the news so it’s turning up in spam: about 10 per cent of all spam (up to 150 billion messages a day) currently contains keywords relating to the World Cup.
As the intensity of the news coverage increases, so has the volume of spam which – merely by coincidence – mentions the tournament. Consequently it is increasingly hard to spot the scams deliberately targeted at the World Cup; which leads to the second category: advance-fee frauds, referred to as ‘419s’.
Advance-fee fraud
Advance-fee fraud has been around for several years. The fraudsters send out billions of emails, offering, for example in the case of the World Cup, match tickets or cheap flights and accommodation. If a hapless victim replies, the protagonist strings them along, asking for up-front fees: a release fee, an international transfer fee, a booking fee, and so on. The individual amounts are never huge, but if just one or two per cent of the billions of emails sent gets a response, then it soon adds up to vast sums.
Eventually, of course, the victim realizes they’ve been had, but it’s estimated that only about a tenth of people caught by these scams actually report them, due to embarrassment.
One of the most common World Cup-related 419s doing the rounds at the moment informs the recipient that he or she has won a vast sum on money on the World Cup lottery. We’ve also seen appeals for electrical generating equipment and offers to be the supplier of boots and players’ kit. But they all rely on the same technique – asking for some kind of up-front fee with promises of unbelievable returns.
As with the first type of spam, a good spam filter will quarantine them if they are not being blocked at network level. If any do get through, one should ask: is it possible to win a lottery if I have never bought a ticket? If it sounds too good to be true, then it is probably a lie.
Malware droppers
The third category – malware droppers – is an email which dupes the victim into opening an attachment or visiting a site which ‘drops’ malware onto the victim’s computer, usually installing a backdoor. This is later used to download other malware enabling the attacker to gain control of the PC, possibly recruiting it to a ‘botnet’ to send out yet more spam, or interrogating it for credit card and bank details.
Again, this isn’t a new technique; spammers use global events to tempt the unwary into clicking on a link or opening an attachment all the time. World Cup-related attacks of this kind are relatively small in volume currently, but they are also highly destructive in terms of loss of personal information or damage to the computer.
It doesn’t even have to be a dodgy site you’re directed to: we’ve seen legitimate sites infected with ‘malvertisements’ or compromised using SQL injection attacks. Unfortunate visitors to those sites will often be silently scanned too, as the malware attempts to exploit vulnerabilities in their computer system – such as out-of-date, unpatched browser plug-ins and other applications often used to play multimedia content. Once exploited, a backdoor Trojan is then installed silently, without the user’s knowledge. Legitimate sites offering fixture and results information or selling shirts and other paraphernalia will have to redouble their security efforts if they are to offer their customers the protection they deserve, as attackers know that during the World Cup, these sites attract a large number of visitors.
So far what we have discussed are scatter-gun attacks which rely on the massive volume of spam to yield a tiny percentage of victims. However, a far more deadly version of the malware dropper is used in targeted attacks. Here, criminals use web searches to investigate a business and source the email address of the most senior people. Then they email the target with a plausible message containing an attachment or link to a site. The attachment might be a spreadsheet calendar of all the World Cup fixtures, which looks helpful but is infected.
These attacks are often commissioned for the purposes of political or industrial espionage: one company spying on another; one country spying on another; or a state-backed entity obtaining IP from a rival country’s key industrial players. And sometimes these are opportunistic crimes where criminal gangs lift information from companies known to have valuable IP and then sell it to the highest bidder.
Protection against these attacks is far more difficult because the email will look plausible. We’ve seen a 419 scam that made use of the ’email to a friend’ utility on a news site: the attacker uses the email address gleaned from the company’s website and, along with the link to the story, embeds another link to an infected site. If the recipient is the chief executive of a biotech firm and he receives an email about an article on biotech, there’s a good chance he may click on both links.
The victim may never know they’ve been attacked unless the backdoor is discovered.
At the time of writing, Symantec has seen four World Cup-related targeted attacks like these in four weeks. Two were in targeting a global charity and an intergovernmental organization. Symantec blocked the attacks, not using conventional signature-based filters (useless on such carefully crafted fresh attacks), but using its Skeptic engine to identify the suspicious characteristics of the email and the malicious Excel attachment. As the tournament continues to progress, we expect to see further examples.