Soccer Cyberthreats

How to watch the World Cup and not get scammed.

FIFA World Cup 2022: Soccer Cyberthreats

Just in case you haven’t noticed, Qatar is currently hosting the 22nd FIFA World Cup (from November 20 to December 18). Cyberfraudsters could hardly pass up such an opportunity. The 2018 World Cup in Russia was watched by 3.6 billion people (more than half of the world’s population over four years old), and the viewing figures of Qatar’s World Cup are unlikely to be lower. Having analyzed the main cyberthreats targeting fans at major sporting events in recent years, we can only recommend you be vigilant during the World Cup.

Fake sites and apps

In the runup to all major sporting feasts in recent years, our experts have observed upticks in registrations of domains based on the names of the respective events. Most of these sites were used for fraud, such as offering fake tickets or free live broadcasts.

A phishing page offers a chance to win 2 FIFA tickets

A phishing page offers a chance to win 2 FIFA tickets

This year’s World Cup has been no exception. By the time it kicked off, experts had uncovered multiple fraudulent pages on social networks, and more than 170 domains posing as official World Cup resources.

Most are phishing sites looking to steal user data, but alongside the traditional scams (ticket giveaways, souvenir sales), some new cryptocurrency-based scams have been added. Soccer fans are invited to invest in new tokens created specially for the tournament, or to bet on the results with payouts in crypto or as NFT art. Of course, to receive your “winnings”, you have to share your cryptowallet details.

An example of a World Cup-related crypto scam

An example of a World Cup-related crypto scam

Mobile apps are another classic mode of attack, especially on Android users: by the start of the World Cup, more than 50 instances of mobile malware had been detected that either plant malicious software on your device, ask you to pay for a bogus ticket or broadcast, or steal your personal data — passwords, mail accounts, card numbers, and the like.

A study of past championships indicates that the victims of sports-related scams are typically casual fans: folks looking for streaming sites or installing sports apps for the first time. Therefore, in addition to our standard advice (never visit suspicious sites or download suspicious applications), we would add another useful tip: if you’re a novice, ask a friend who’s long been into sports. They’ll be able to suggest the best places for live streaming or placing bets, which will help you avoid fly-by-night sites and fraudulent apps.

Privacy issues

But even official apps don’t guarantee protection against personal data leaks. On the eve of the current World Cup, warnings were already sounding about privacy issues in apps that visitors to Qatar have to install. Similar vulnerabilities making it possible to spy on users were found in Chinese apps that guests of this year’s Winter Olympics were required to install.

But if you think such problems affect only certain countries, alas, personal data leaks happen everywhere. At the 2020 Summer Olympics in Tokyo (which ran in 2021 due to  covid disruption), the usernames and passwords of those who’d bought tickets were leaked, giving cybercriminals access to masses of personal data in fans’ accounts: names, addresses, bank details. And in 2018, the official app of the Spanish soccer league, La Liga, was caught red-handed using microphone and GPS access on user devices to track down those watching pirated broadcasts. La Liga, of course, denied eavesdropping on users, since the audio clips it recorded were encrypted. But how could this be checked, and who then did listen to these recordings?

As such, a general security rule that applies even to official apps is to minimize their access to your personal data and to other apps and systems on your smartphone. If installing an app with extended privileges is mandatory in the host country, use a burner phone instead of your main device.

Beware of free Wi-Fi

During the 2016 Summer Olympics in Brazil, Kaspersky researchers found that around a quarter of Wi-Fi hotspots at competition venues had little or no security at all. Similar studies during the 2018 FIFA World Cup in Russia uncovered even more unprotected Wi-Fi networks.

So, if you’re off to Qatar, take every precaution when using public Wi-Fi:

1. Turn off automatic connection to Wi-Fi networks

Also turn off Wi-Fi itself when not using it, and remove public Wi-Fi networks from the list of connections after using them. This will safeguard against connecting to poorly protected access points where your data could be intercepted by cybercriminals.

2. Carefully check the names of networks you connect to

Fake hotspots might have similar names to the Wi-Fi network of your hotel or the cafe you’re in. If you fail to spot a fake Wi-Fi network and connect to it, the data you transmit will end up in cybercriminal hands.

3. Don’t use public Wi-Fi for critical tasks

For the same reasons, be doubly sure not to connect to dubious hotspots if you have to use a service where a data leak could be very costly, such as online banking. Better to access it through a well-protected home or corporate network. Although more expensive, even using mobile data to get online is safer than free public Wi-Fi.

4. Use a VPN

If there’s simply no other option but to connect to an unknown Wi-Fi network, use a security solution with VPN technology to create an encrypted communication channel. For example, Kaspersky Secure Connection. KSC encrypts your data before forwarding it to the Wi-Fi router, so other users — not even the hotspot owner — can see what you’re sending or where. And it’s a good idea to configure your VPN to start up automatically on connecting to any public network.

VPN Disclaimer

The use of VPN technology is subject to local laws and regulations. Kaspersky VPN Secure Connection should only be used for its intended purpose. Kaspersky VPN Secure Connection is not available in India – neither standalone, nor as part of Kaspersky Plus, Kaspersky Premium, or Kaspersky Small Office Security.