July 9, 2014 (Wed): Kaspersky Lab experts have encountered a curious method for spreading links to a phishing page that aims to harvest users’ personal data. The web page imitates the official FIFA website and prompts visitors to sign a petition in defense of Luis Suárez, a forward for the Uruguayan national team who was recently hit with a ban and a fine for biting the shoulder of Italian defender Giorgio Chiellini. Those fans unhappy about the Uruguayan’s disqualification who add their details to the petition could potentially end up on a spam mailing list, on the receiving end of a malicious attachment or even subjected to a targeted attack.
The phishing page matches the design of the official website and all links on it redirect users to FIFA’s official site, www.fifa.com. The phishing domain was created on June 27, 2014. According to the whois database, it was registered in the name of a person residing in London. The data collection form was created using Google.Docs.
To sign the petition, the user needs to fill out a form, entering his or her name, country of residence, mobile phone number and email address. After filling out the ‘petition’ form, victims were encouraged to share a link to the page with their friends on Facebook. Unsuspecting fans shared links to the fake petition on their Facebook pages. This enabled the phishing link to spread widely across Facebook in just a couple of days. Messages with links to the phishing page were also seen on dedicated forums, which is probably how users originally reached the offending page.
“Armed with users’ email addresses and telephone numbers, cybercriminals can conduct targeted attacks involving banking Trojans for computers and mobile devices. This technique is used to get round two-factor authentication in online banking systems in cases where a one-time password is sent via SMS,” commented Nadezhda Demidova, Content Analyst at Kaspersky Lab.
Tips: distinguishing the phishing page from official FIFA site pages
First of all, check the address of the site to see if it corresponds to the domain name of the official site. If you have the slightest doubt as to the site’s authenticity, do not enter any personal data. To verify the authenticity of a site you can contact a representative of the organization via the official site.
For more details about this phishing attack, please visit securelist.com.