Trellix Advanced Research Center email security researchers found a 100 per cent increase in the volume of malicious emails in Arab countries in the month of October 2022.
Global eyes are now on the first global football tournament held in the Arab world, which kicked off on Sunday, November 20, but malicious actors kicked off their World Cup-themed cyberattacks ahead of the tournament. Email security researchers from the Trellix Advanced Research Centre have found attackers to be leveraging FIFA and football-based campaigns to target organisations in Arab countries. Consequently, the volume of malicious emails in Arab Countries was observed to have increased by 100 per cent in the month of October.
“It is common practice for attackers to utilise important/popular events as a part of social engineering tactics and particularly target organisations which are related to the event as they are far more promising victims for an attack,” commented Daksh Kapur, Research Scientist at Trellix. “As the host country and the affiliated organisations prepare for and manage the event, attackers take advantage of employee’s busy schedules, increasing the chances of human error and the victim interacting with the attack vector. The aim of such attacks can be anything from financial fraud, credential harvesting and data exfiltration to surveillance and damage to the country’s/organization’s reputation.”
Trellix Advanced Research Center researchers caught various emails utilising the football tournament as an initial attack vector. The following are cases of samples found in the wild:
- Sample 1: Pretends to be from the FIFA TMS helpdesk, and the email body shows a fake alert notification regarding the de-activation of two-factor authentication and contains a hyperlink redirecting the user to a phishing page.
- Sample 2: Attempts to impersonate David Firisua, the team manager for Auckland City FC, and seeks confirmation of a payment made to the receiver’s account in reference to FIFA. It also contains a hyperlink to a customised phishing page of a trusted brand.
- Sample 3: Impersonates the FIFA ticketing office and conveys a payment issue for the victim to resolve urgently. It also contains an HTML attachment which redirects the user to a customised phishing page.
- Sample 4: A fake legal notification informing the recipient about a ban implemented by FIFA from registering new players to create a sense of urgency. It also contains an HTML attachment which redirects the user to a customised phishing page.
- Sample 5: A fake file notification set in the WeTransfer’s template. It attempts to impersonate the Players Status Department and send victims a legal notice regarding delayed legal fees. It contains a link which redirects the user to a malicious website, either delivering malware or hosting a phishing page.
- Sample 6: Snoonu, the official food delivery partner of the World Cup is spoofed, offering fake free tickets to those who register. It contains a malicious xlsm attachment. The usage of such trusted organisations’ names and their templates makes the user fall for such attacks easily.
In terms of malware, Trellix solutions have identified several malware families being used to target Arab countries but the five most used malware families are Qakbot (40 per cent), Emotet (26 per cent), Formbook (26 per cent), Remcos (four per cent) and QuadAgent (four per cent).
“As the much-awaited football tournament gets underway, cybercriminals are expected to leverage every opportunity they get to capitalise on news trends, ticket demands, human errors due to the busy schedule and more, in order to deliver a cyberattack. We anticipate these attacks to continue through January 2023 and would advise everyone to stay vigilant of any attack vectors. The organisations which are directly related to the event are advised to stay extra-vigilant as they would be the most promising targets for such attacks,” added Sparsh Jain, Research Scientist at Trellix.