Fifa.com — CraftedSignal Threat Feed

Threat Actors Spoofing FIFA Websites in Advance of the 2026 World Cup

hello@craftedsignal.io — Wed, 27 May 2026 18:24:00 +0000

The FBI has issued a public service announcement warning of cyber threat actors conducting spoofing attacks against the Fédération Internationale de Football Association (FIFA) website in anticipation of the 2026 FIFA World Cup. These actors create deceptive versions of the legitimate FIFA website (www.fifa.com) with the goal of tricking users into believing they’re interacting with the official brand. The spoofed websites are designed to collect personally identifiable information (PII) entered by users, including names, home addresses, phone numbers, email addresses, and banking information. The threat actors also aim to sell fake World Cup tickets and hospitality products and possibly facilitate other malicious activities. The FBI has identified multiple domains already spoofing the legitimate FIFA website and anticipates additional fake domains will be created leading up to and throughout the 2026 World Cup.

Attack Chain

The attacker registers a domain name that closely resembles the legitimate FIFA website (www.fifa.com), often using typos or alternative top-level domains (e.g., fiffa[.]com, fifa[.]org).
The attacker sets up a website on the spoofed domain that mimics the look and feel of the official FIFA website, including branding, logos, and content.
The attacker promotes the spoofed website through various means, such as search engine optimization (SEO) or social media, to attract unsuspecting users.
A user visits the spoofed website, believing it to be the legitimate FIFA site.
The user is prompted to enter personal information, such as name, address, phone number, email, and banking details, to register for an account, purchase tickets, or apply for a job.
The attacker collects the user’s PII entered into the spoofed site.
The attacker uses the stolen PII to create new accounts in the victim’s name, commit identity theft, or sell the information to other malicious actors.
The attacker attempts to sell fake World Cup tickets and hospitality products to the victim, potentially leading to financial loss.

Impact

The spoofed FIFA websites can lead to significant financial and personal information loss for victims. Threat actors can collect PII, create fraudulent accounts, and sell fake World Cup tickets and hospitality products. The number of victims is currently unknown, but the FBI anticipates that these attacks will increase leading up to the 2026 FIFA World Cup. These attacks target anyone attempting to access FIFA’s website for information, tickets, or employment opportunities. A successful attack can result in identity theft, financial fraud, and reputational damage for the victims.

Recommendation

When navigating to FIFA’s official website, type fifa.com directly into the address bar, as recommended by the FBI, rather than using a search engine.
Implement a domain reputation feed to identify and block access to newly registered or suspicious domains similar to the IOCs in this brief.
Monitor network traffic for connections to the IOCs listed in this brief, and block them at the firewall or proxy level.
Deploy the Sigma rule to detect potential typo-squatting attempts on FIFA domains.
Educate users about the dangers of typo-squatting and phishing, emphasizing the importance of verifying website URLs and avoiding suspicious links.

Fake FIFA World Cup Websites Stealing Credentials and Funds

hello@craftedsignal.io — Sat, 23 May 2026 06:09:19 +0000

ESET researchers have uncovered multiple fake FIFA World Cup websites designed to deceive soccer fans seeking tickets and merchandise. These websites mimic the official FIFA and World Cup sites, enticing users to register and make purchases through fraudulent payment flows. The attackers utilize tactics such as typosquatting, where domain names closely resemble the legitimate ones, and copying the official FIFA website’s look and feel to enhance credibility. The campaign targets individuals eager to secure tickets and merchandise for the 2026 FIFA World Cup, exploiting their enthusiasm and impatience. The fake sites aim to steal financial and identity data, including names, email addresses, phone numbers, and passwords.

Attack Chain

Victims are lured to fake FIFA websites through sponsored search results, social media ads, or forwarded links.
The fake website uses a domain name similar to the official FIFA site, employing typosquatting (e.g., ***fifa26[.]shop).
The website replicates the look and feel of the official FIFA site, including colors, layout, and navigation.
Users are prompted to register, providing personal information such as name, email address, and phone number.
The fake website offers tickets and merchandise for purchase, allowing users to add items to a shopping cart.
Users are directed to a payment page where they enter their credit card details.
The entered payment information is stolen by the attackers.
Victims lose money and have their personal and financial data compromised.

Impact

The fake FIFA websites lead to financial losses for victims who enter their credit card details. Stolen personal data, including names, email addresses, phone numbers, and reused passwords, can be used for identity theft, financial fraud, and further attacks on other accounts. The campaign targets soccer fans worldwide, aiming to capitalize on the high demand for World Cup tickets and merchandise. If successful, attackers can gain access to victims’ sensitive information, leading to significant financial and personal harm.

Recommendation

Directly type the official FIFA website address (FIFA.com) into your browser to avoid clicking on potentially malicious links from ads or social media posts (Reference: FIFA official website).
Closely examine domain names for typosquatting attempts (e.g., extra characters, odd endings) before entering any information (Reference: ***fifa26[.]shop and ****26-fifa[.]com).
Deploy the Sigma rule Detect Fake FIFA Website Registration Page to identify suspicious registration pages (Reference: rule).
Deploy the Sigma rule Detect Fake FIFA Website Payment Page to identify suspicious payment pages (Reference: rule).
Use strong, unique passwords for all accounts and enable two-factor authentication to protect against credential reuse (Reference: Overview).

Fake FIFA World Cup Websites Stealing Credentials and Funds

hello@craftedsignal.io — Sat, 23 May 2026 06:09:19 +0000

Attack Chain

Victims are lured to fake FIFA websites through sponsored search results, social media ads, or forwarded links.
The fake website uses a domain name similar to the official FIFA site, employing typosquatting (e.g., ***fifa26[.]shop).
The website replicates the look and feel of the official FIFA site, including colors, layout, and navigation.
Users are prompted to register, providing personal information such as name, email address, and phone number.
The fake website offers tickets and merchandise for purchase, allowing users to add items to a shopping cart.
Users are directed to a payment page where they enter their credit card details.
The entered payment information is stolen by the attackers.
Victims lose money and have their personal and financial data compromised.

Impact

Recommendation

Directly type the official FIFA website address (FIFA.com) into your browser to avoid clicking on potentially malicious links from ads or social media posts (Reference: FIFA official website).
Closely examine domain names for typosquatting attempts (e.g., extra characters, odd endings) before entering any information (Reference: ***fifa26[.]shop and ****26-fifa[.]com).
Deploy the Sigma rule Detect Fake FIFA Website Registration Page to identify suspicious registration pages (Reference: rule).
Deploy the Sigma rule Detect Fake FIFA Website Payment Page to identify suspicious payment pages (Reference: rule).
Use strong, unique passwords for all accounts and enable two-factor authentication to protect against credential reuse (Reference: Overview).