World Cup 2026 Mobile Targeted Phishing: The Global Social Engineering Threat

Executive Summary

Our threat intelligence team has uncovered a troubling surge in digital scams and phishing campaigns capitalizing on the FIFA World Cup 2026 and specifically targeting mobile users. It is a highly effective exploit, as the largest sporting event in history scales up to 48 teams and 104 matches, billions of fans are driven by a mix of unprecedented ticket scarcity, sky-high prices, and emotional urgency. Threat actors have taken note of these market conditions, prioritizing sophisticated social engineering attacks to siphon personal data, credit card credentials, and corporate access.

We analyzed three primary attack campaigns showing just how organized these campaigns have become:

• The first targets ticket buyers through widespread Typosquatting and institutional spoofing, deploying fake domains like fifa-tickets[.]vip to trap desperate fans.
• The second is an active, high-risk retail campaign which mimics sports giants like Nike and Adidas by hiding its origin infrastructure behind Cloudflare.
• The third exploits the tournament's hiring wave through sophisticated recruitment fraud. It is an AiTM platform targeting corporate Google Workspace accounts, capable of bypassing MFA in real time.

Introduction

World Cup 2026 targeted phishing campaigns represent a massive opportunity for cybercrime. As the 2026 tournament captures the attention of dozens of nations simultaneously for an entire month, threat actors are pairing classic social engineering with the real-world frenzy of historic ticket demands. Leveraging channels like SMS, WhatsApp, and search engine results, these campaigns exploit the deep emotional investment and trust fans place in official tournament communication, while taking advantage of user’s poor security diligence when using their mobile devices.

Among the various lures deployed, fake ticket gateways, lookalike fan shops, and fraudulent employment offers have emerged as the primary weapons in the cybercriminals' arsenal. These schemes serve as highly effective delivery mechanisms, capitalizing on the universal panic of missing out on the tournament. Unlike isolated phishing attempts that security teams can easily isolate, these World Cup threats leverage mainstream consumer behavior across both personal and work devices, creating an incredibly hostile digital environment during the tournament cycle.

Why World Cup 2026 is Perfect for Phishing

The World Cup 2026 presents unique advantages for threat actors seeking to exploit human vulnerability on a mass scale. The staggering imbalance between supply and demand means users rarely question unusual digital channels when hunting for access:

• Absolute Ticket Scarcity: Out of an approximate 6 million available tickets, over 5 million have already been allocated. Scarcity for the knockout and final phases is absolute.
• Astronomical Dynamic Pricing: For the first time, FIFA has implemented dynamic pricing structures. While the most expensive ticket for the Qatar 2022 final hovered around $1,600 USD, equivalent seats for the 2026 final in New York/New Jersey surpassed $10,000 USD at launch, with Front Category seats scaling up to $30,000 USD.
• The Secondary Market Hazard: With legitimate channels entirely saturated, fans are driven out of desperation to alternative platforms like Telegram, social media, and unverified Google listings, exposing themselves directly to malicious links.

Mobile Phishing (Mishing): The Great Cybersecurity Blind Spot

During the World Cup season, the threat perimeter extends far beyond personal loss; it poses a direct risk to enterprise environments. Employees actively utilize their mobile devices during work hours to check scores, track tickets, or shop for gear. This intersecting behavior exposes organizations through multiple blind spots:

• The Distraction Factor: An employee who receives a high-urgency text message shouting "Remaining Ticket Liquidation!" or "Official Jerseys 70% OFF" is significantly more likely to click impulsively due to emotional urgency.
• Lack of Network Visibility: In a Bring Your Own Device (BYOD) landscape, many of these malicious links are opened entirely outside of corporate VPNs or via cellular networks. This leaves traditional enterprise perimeter controls, like corporate firewalls, completely blind to the connection.
• Credential Harvesting Escalation: If an employee falls victim to these scams and uses recycled corporate credentials, or if their compromised mobile device stores enterprise access keys, a simple ticket scam can easily turn into the initial entry vector for a corporate ransomware attack.

While these campaigns target consumers, the attack path frequently intersects with enterprise environments. Employees routinely access corporate email, collaboration tools, cloud services, and authentication applications from the same devices used for personal activities. As a result, a phishing attack that begins as a ticket purchase scam or merchandise promotion can quickly evolve into credential theft, session hijacking, or unauthorized access to corporate resources. This convergence of personal and professional mobile usage makes mobile devices a critical security control point during global events such as the World Cup 2026.

Campaign 1: Ticket Sales & Institutional Typosquatting

The desperate rush to secure match tickets serves as the most lucrative hook for cybercriminals. The first vector we analyzed is the oldest trick in the book: creating deceptive sites that visually mimic official URLs. This technique, known as Typosquatting, involves registering domains that closely resemble official URLs in order to deceive users and evade casual scrutiny.

This campaign was previously analyzed by Group-IB and named Ghost Stadium. It was attributed to a financially motivated, Chinese-speaking threat actor operating an unprecedented FIFA brand abuse campaign. At the same time, the FBI's Internet Crime Complaint Center (IC3) issued Advisory PSA260527, independently warning the public and listing over 30 confirmed malicious domains.

Zimperium researchers found additional samples of this campaign and traces of a phishing kit that it is, most likely, sold in underground forums we were not able to pinpoint.

Our analysis reveals an operation of unusual technical maturity: not a mere fraud page, but a production-grade phishing platform engineered to keep victims engaged through the entire purchase journey. Rather than a crude credential-harvesting page, the analyzed sites are production-grade web applications that replicate the complete official FIFA ticket purchase journey.

Phishing Flow & Data Exfiltration

The full attack workflow is shown in the figure below. The performed steps are:

1. The user clicks on a fake FIFA website. This website can be distributed through fraudulent emails, WhatsApp messages, SMS, advertisements, etc.
2. The website spies on every user’s movement
3. Credential harvesting
4. Financial theft (both a fraudulent purchase is processed and credit card information is stolen)
5. A fake confirmation is displayed along with the emission of fake tickets
6. Account takeover: the stolen credentials are used to lock the user out of the legitimate FIFA website

The kit is engineered to stay online. Victims receive a convincing order reference and never suspect the compromise until their credentials are abused or their card is charged elsewhere.

Technical fingerprints

• The application is built as a React single-page application, confirmed by the data-react-helmet attribute in the page source, compiled using RSpack 1.3.15, a JavaScript bundler developed by ByteDance.

• Chinese-language developer comments are embedded throughout the custom JavaScript files.

• Attribution note: Group-IB and the FBI consistently use "Chinese-speaking" as a linguistic identifier <lang="zh">, not a nation-state attribution.

• Layui 2.7.6 UI Framework: The kit loads Layui (/static/css/layui.css, 82 KB), a Chinese open-source UI library that Group-IB describes as "virtually unknown outside the Chinese developer community." A custom layer-shim.js replaces Layui's native modal engine, with the replacement documented in Chinese source comments.

• The login and registration pages clone PingIdentity's DaVinci authentication framework, the identity provider FIFA uses for its real SSO. The clone is not visual only: it replicates PingIdentity's exact React component structure and uses FIFA's actual OAuth2 client_id. Hidden field found verbatim in both register.html and ec7b0bc82c00464d8e0a59bc19c585e2.html:

The p1:reset:userPassword scope is particularly dangerous: it authorizes the attacker to reset the victim's password on the real FIFA.com account, locking them out immediately after credential capture. Both pages are served with meta name="robots" content="noindex, nofollow" to prevent search engine indexing.

• Credentials and personal data are submitted directly to the kit's backend:

// Login authorize.html

POST /api/login { account, password }

// Registration register.html

POST /api/register  { firstname, email, password, gender, phoneCountryCode, phone, day, month, year, country, preferredLanguage }

• Victim tracking: TikTok Pixel, Facebook Pixel, and 51.la

• SaleSmartly is a Chinese live-chat SaaS platform. Its presence enables the operators to interact in real time with victims during the "purchase" process, a live social engineering layer on top of the phishing kit. The Tawk.to script documented by Group-IB in other cluster samples is present but commented out in this variant, replaced by SaleSmartly.

Campaign 2: Merchandise & The "RetailPhish"

When the average fan realizes that spending thousands of dollars on a match ticket is impossible, they pivot their attention to apparel, seeking official national team jerseys. Attackers adapt immediately, deploying targeted credential harvesting frameworks aimed at sports retail giants.

Our intelligence team tracked an active, highly structured threat matrix designated as the RetailPhish campaign. This infrastructure impersonates brands like Nike, Adidas, Puma, and Marathon Sport across multiple languages and regions.

Phishing Flow & Data Exfiltration

The campaign employs a multi-stage social engineering funnel distributed primarily via WhatsApp messages:

Stage 1 – Brand Lure: The victim receives a WhatsApp message linking to what appears to be an official brand promotion. The landing page mimics Adidas, Nike, Puma, or Marathon Sports branding and promises high-value World Cup 2026 merchandise, national team kits, football boots, or gift cards worth EUR 250–300, in exchange for a short "eligibility quiz."

Stage 2 – Viral Propagation: After completing the quiz, the page requires the victim to forward the link to multiple WhatsApp contacts before the prize can be "unlocked." This forced sharing mechanism turns each victim into an unwitting distributor, driving organic, trust-based propagation through personal contact networks.

Stage 3 – PII Harvesting: The victim is prompted to enter personal information, including full name, shipping address, phone number, and email, to "claim" the reward.

Stage 4 – Payment Trap: A nominal EUR 2 "shipping fee" is requested. This final step captures the full credit card number, expiration date, and CVV. According to the original report, the fine print often includes consent to recurring charges or subscription enrollments.

The pages include fabricated customer reviews and FAQ sections to reinforce perceived legitimacy, while the multi-language URL templating allows the same kit to target fans across Spain, Germany, Colombia, Portugal, France, England, Croatia, and Ecuador simultaneously.

Technical Analysis & Infrastructure

This campaign demonstrates the operational sophistication of modern criminal networks. Rather than deploying amateur standalone pages, the threat actors leverage centralized registration infrastructure and CDN obfuscation to scale rapidly:

• The entire infrastructure hides behind Cloudflare’s network, distributed across two distinct nameserver pairs (vera/walt.ns.cloudflare.com and ishaan/mina.ns.cloudflare.com). This masks the true origin servers and renders basic IP blacklisting ineffective.
• Unified Registrant Identity: All campaign domains were registered through a single registrar NICENIC INTERNATIONAL GROUP CO., LIMITED with the registrant's real identity concealed behind NICENIC's privacy proxy service. When a customer enables this service, the registrar replaces their personal WHOIS data with opaque placeholder tokens unique to that customer account. Crucially, these tokens are consistent across all domains registered under the same account. Querying WHOIS for any of the nine campaign domains returns the same three privacy-proxy identifiers:

Because the registrar assigns these tokens per-account, the presence of identical values across nine independently registered domains is direct evidence that a single entity controls the entire infrastructure. This serves as the primary high-confidence attribution pivot for tracking the campaign's expansion.

• Templated Phishing URLs: Every domain in the cluster deploys an identical URL schema://[domain]/<8-char-random>/?<brand>-<location>-mundial-2026.html, targeting fans searching for official merchandise in multiple languages (Spanish, Portuguese, German, English, French, Croatian).

Examples include paths like /CpnFuYZK/?adidas-equipacion-espana-mundial-2026.html and /JppXjvVN/?adidas-deutschland-fan-kit-2026.html.

• Rapid Domain Rotation: Seven of the eight tracked domains were registered within a 33-day window (April 29 – May 31, 2026).

Campaign 3: OffsideHire Phishing

An event spanning three countries requires an enormous logistical footprint, stadium staff, security personnel, translators, production technicians, and hospitality workers. Threat actors exploit this hiring wave by targeting individuals seeking temporary seasonal employment or event-day access credentials.

We identified four fraudulent career portals impersonating FIFA's official recruitment channels. All four domains use the page title "Jobs at FIFA | FIFA Careers" and replicate the visual language of FIFA's legitimate careers page to establish immediate trust.

Technical Analysis

The four domains share a common operational fingerprint:

• Privacy Proxy: All registrant data is concealed behind Domain Protection Services, Inc. (Denver, CO), the same WHOIS privacy provider across all domains.
• Coordinated Registration: fifa-hr[.]com and fifa-hiring[.]com were registered on the same day (April 30, 2026), with fifa-careerpath[.]com and fifajobs[.]com following 17–18 days later (May 17 and May 18, 2026, respectively).
• Shared Hosting: fifa-hr[.]com and fifa-careerpath[.]com resolve to shared name.com nameservers (ns1kpv, ns2kry, ns3jmt, ns4dmx), fifa-hiring[.]com operates from AWS infrastructure, and fifajobs[.]com is hosted on Vercel.

The Threat

While the initial three domains have been taken down or redirected to parking pages, fifajobs[.]com remains fully operational. Our static analysis of its JavaScript bundle reveals that this is not a traditional recruitment fraud campaign, it is a production-grade Adversary-in-the-Middle (AiTM) platform engineered for corporate Google Workspace account takeover.

Attack Flow

1. Booking Lure: The victim selects a job interest.

2. Credential Capture: Clicking "Continue with Google" renders a pixel-perfect clone of Google's sign-in page inside a simulated Chrome browser frame, complete with https://accounts.google.com/signin/v3/ displayed in the address bar.

The kit explicitly rejects personal email providers and displays the error message: "Please use your work or business email." Only corporate or custom-domain accounts are accepted, confirming that the operation targets enterprise environments, not individual consumers.

4. Session Hijack: Once MFA is satisfied, the backend captures the fully authenticated Google session. The victim sees a booking confirmation and never suspects compromise.

C2 Infrastructure

The backend server at fifeq2026eqbackeq.onrender[.]com (hosted on Render.com) was fully operational at the time of analysis.

API confirmed:

• POST /api/login — accepts credentials and initiates AiTM relay

• POST /api/booking — returns "Booking data sent to Telegram", confirming real-time exfiltration to a Telegram bot

Zimperium Protection

The World Cup 2026 is not merely a sporting event, it’s a global social engineering accelerator. The three campaigns documented here share a common flow: leverage emotional urgency, brand trust, and mobile-first behavior to bypass both human judgment and traditional security controls.

What makes these threats particularly dangerous for enterprises is their delivery vector. These campaigns reach employees through personal channels, WhatsApp messages, SMS, social media, and organic search results, entirely outside the visibility of corporate network controls. A fan checking ticket availability or shopping for a jersey on their lunch break becomes an entry point when accessing a corporate resource from a compromised device.

Traditional perimeter defenses, domain blocklists, URL reputation databases, and corporate firewalls are insufficient against this class of threats. The attackers rotate domains within days, hide behind CDN infrastructure, and distribute links through encrypted messaging channels that never touch enterprise networks. When a domain appears on a blacklist, the campaign has already moved to fresh infrastructure.

The domains and infrastructure documented in this report are detected and blocked by Zimperium's Mobile Threat Defense (MTD). Our on-device detection engine identifies phishing domains in real time, providing zero-day protection against newly registered infrastructure before it appears on any blocklist. Whether a link arrives via SMS, QR code, or browser, the threat is intercepted at the moment of interaction, before credentials are submitted or payment data is captured.

Indicators of Compromise

The IOCs for this campaign can be found in the following GitHub repository.