Fédération Internationale De Football Association (FIFA) — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/vendors/f%C3%A9d%C3%A9ration-internationale-de-football-association-fifa/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 27 May 2026 18:24:00 +0000Threat Actors Spoofing FIFA Websites in Advance of the 2026 World Cuphttps://feed.craftedsignal.io/briefs/2026-05-fifa-spoofing/Wed, 27 May 2026 18:24:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-fifa-spoofing/Cyber threat actors are conducting spoofing attacks against FIFA websites in advance of the 2026 FIFA World Cup to steal personal information and facilitate monetary scams.The FBI has issued a public service announcement warning of cyber threat actors conducting spoofing attacks against the Fédération Internationale de Football Association (FIFA) website in anticipation of the 2026 FIFA World Cup. These actors create deceptive versions of the legitimate FIFA website (www.fifa.com) with the goal of tricking users into believing they’re interacting with the official brand. The spoofed websites are designed to collect personally identifiable information (PII) entered by users, including names, home addresses, phone numbers, email addresses, and banking information. The threat actors also aim to sell fake World Cup tickets and hospitality products and possibly facilitate other malicious activities. The FBI has identified multiple domains already spoofing the legitimate FIFA website and anticipates additional fake domains will be created leading up to and throughout the 2026 World Cup.

Attack Chain

  1. The attacker registers a domain name that closely resembles the legitimate FIFA website (www.fifa.com), often using typos or alternative top-level domains (e.g., fiffa[.]com, fifa[.]org).
  2. The attacker sets up a website on the spoofed domain that mimics the look and feel of the official FIFA website, including branding, logos, and content.
  3. The attacker promotes the spoofed website through various means, such as search engine optimization (SEO) or social media, to attract unsuspecting users.
  4. A user visits the spoofed website, believing it to be the legitimate FIFA site.
  5. The user is prompted to enter personal information, such as name, address, phone number, email, and banking details, to register for an account, purchase tickets, or apply for a job.
  6. The attacker collects the user’s PII entered into the spoofed site.
  7. The attacker uses the stolen PII to create new accounts in the victim’s name, commit identity theft, or sell the information to other malicious actors.
  8. The attacker attempts to sell fake World Cup tickets and hospitality products to the victim, potentially leading to financial loss.

Impact

The spoofed FIFA websites can lead to significant financial and personal information loss for victims. Threat actors can collect PII, create fraudulent accounts, and sell fake World Cup tickets and hospitality products. The number of victims is currently unknown, but the FBI anticipates that these attacks will increase leading up to the 2026 FIFA World Cup. These attacks target anyone attempting to access FIFA’s website for information, tickets, or employment opportunities. A successful attack can result in identity theft, financial fraud, and reputational damage for the victims.

Recommendation

  • When navigating to FIFA’s official website, type fifa.com directly into the address bar, as recommended by the FBI, rather than using a search engine.
  • Implement a domain reputation feed to identify and block access to newly registered or suspicious domains similar to the IOCs in this brief.
  • Monitor network traffic for connections to the IOCs listed in this brief, and block them at the firewall or proxy level.
  • Deploy the Sigma rule to detect potential typo-squatting attempts on FIFA domains.
  • Educate users about the dangers of typo-squatting and phishing, emphasizing the importance of verifying website URLs and avoiding suspicious links.
]]>mediumadvisoryfifaspoofingphishingtypo-squatting