Our threat intelligence team has uncovered a troubling surge in digital scams and phishing campaigns capitalizing on the FIFA World Cup 2026 and specifically targeting mobile users. It is a highly effective exploit, as the largest sporting event in history scales up to 48 teams and 104 matches, billions of fans are driven by a mix of unprecedented ticket scarcity, sky-high prices, and emotional urgency. Threat actors have taken note of these market conditions, prioritizing sophisticated social engineering attacks to siphon personal data, credit card credentials, and corporate access.
We analyzed three primary attack campaigns showing just how organized these campaigns have become:
World Cup 2026 targeted phishing campaigns represent a massive opportunity for cybercrime. As the 2026 tournament captures the attention of dozens of nations simultaneously for an entire month, threat actors are pairing classic social engineering with the real-world frenzy of historic ticket demands. Leveraging channels like SMS, WhatsApp, and search engine results, these campaigns exploit the deep emotional investment and trust fans place in official tournament communication, while taking advantage of user’s poor security diligence when using their mobile devices.
Among the various lures deployed, fake ticket gateways, lookalike fan shops, and fraudulent employment offers have emerged as the primary weapons in the cybercriminals' arsenal. These schemes serve as highly effective delivery mechanisms, capitalizing on the universal panic of missing out on the tournament. Unlike isolated phishing attempts that security teams can easily isolate, these World Cup threats leverage mainstream consumer behavior across both personal and work devices, creating an incredibly hostile digital environment during the tournament cycle.
The World Cup 2026 presents unique advantages for threat actors seeking to exploit human vulnerability on a mass scale. The staggering imbalance between supply and demand means users rarely question unusual digital channels when hunting for access:
During the World Cup season, the threat perimeter extends far beyond personal loss; it poses a direct risk to enterprise environments. Employees actively utilize their mobile devices during work hours to check scores, track tickets, or shop for gear. This intersecting behavior exposes organizations through multiple blind spots:
While these campaigns target consumers, the attack path frequently intersects with enterprise environments. Employees routinely access corporate email, collaboration tools, cloud services, and authentication applications from the same devices used for personal activities. As a result, a phishing attack that begins as a ticket purchase scam or merchandise promotion can quickly evolve into credential theft, session hijacking, or unauthorized access to corporate resources. This convergence of personal and professional mobile usage makes mobile devices a critical security control point during global events such as the World Cup 2026.
The desperate rush to secure match tickets serves as the most lucrative hook for cybercriminals. The first vector we analyzed is the oldest trick in the book: creating deceptive sites that visually mimic official URLs. This technique, known as Typosquatting, involves registering domains that closely resemble official URLs in order to deceive users and evade casual scrutiny.
This campaign was previously analyzed by Group-IB and named Ghost Stadium. It was attributed to a financially motivated, Chinese-speaking threat actor operating an unprecedented FIFA brand abuse campaign. At the same time, the FBI's Internet Crime Complaint Center (IC3) issued Advisory PSA260527, independently warning the public and listing over 30 confirmed malicious domains.
Zimperium researchers found additional samples of this campaign and traces of a phishing kit that it is, most likely, sold in underground forums we were not able to pinpoint.
Our analysis reveals an operation of unusual technical maturity: not a mere fraud page, but a production-grade phishing platform engineered to keep victims engaged through the entire purchase journey. Rather than a crude credential-harvesting page, the analyzed sites are production-grade web applications that replicate the complete official FIFA ticket purchase journey.
The full attack workflow is shown in the figure below. The performed steps are:
The kit is engineered to stay online. Victims receive a convincing order reference and never suspect the compromise until their credentials are abused or their card is charged elsewhere.
Attribution note: Group-IB and the FBI consistently use "Chinese-speaking" as a linguistic identifier <lang="zh">, not a nation-state attribution.
The p1:reset:userPassword scope is particularly dangerous: it authorizes the attacker to reset the victim's password on the real FIFA.com account, locking them out immediately after credential capture. Both pages are served with meta name="robots" content="noindex, nofollow" to prevent search engine indexing.
// Login authorize.html
POST /api/login { account, password }
// Registration register.html
POST /api/register { firstname, email, password, gender, phoneCountryCode, phone, day, month, year, country, preferredLanguage }
| Platform | Identifier | Purpose |
|---|---|---|
| TikTok Pixel | D7S1RAJC77U07JNLHM3G | Victim profiling + retargeting via paid TikTok Ads |
| Facebook Pixel | 1147557470844988 | Victim profiling + retargeting via paid Meta Ads |
| 51.la Analytics | Project via sdk.51.la + collect-v6.51.la | Full visitor telemetry to operators (Chinese platform, invisible to Western tooling) |
When the average fan realizes that spending thousands of dollars on a match ticket is impossible, they pivot their attention to apparel, seeking official national team jerseys. Attackers adapt immediately, deploying targeted credential harvesting frameworks aimed at sports retail giants.
Our intelligence team tracked an active, highly structured threat matrix designated as the RetailPhish campaign. This infrastructure impersonates brands like Nike, Adidas, Puma, and Marathon Sport across multiple languages and regions.
The campaign employs a multi-stage social engineering funnel distributed primarily via WhatsApp messages:
Stage 1 – Brand Lure: The victim receives a WhatsApp message linking to what appears to be an official brand promotion. The landing page mimics Adidas, Nike, Puma, or Marathon Sports branding and promises high-value World Cup 2026 merchandise, national team kits, football boots, or gift cards worth EUR 250–300, in exchange for a short "eligibility quiz."
Stage 2 – Viral Propagation: After completing the quiz, the page requires the victim to forward the link to multiple WhatsApp contacts before the prize can be "unlocked." This forced sharing mechanism turns each victim into an unwitting distributor, driving organic, trust-based propagation through personal contact networks.
Stage 3 – PII Harvesting: The victim is prompted to enter personal information, including full name, shipping address, phone number, and email, to "claim" the reward.
Stage 4 – Payment Trap: A nominal EUR 2 "shipping fee" is requested. This final step captures the full credit card number, expiration date, and CVV. According to the original report, the fine print often includes consent to recurring charges or subscription enrollments.
The pages include fabricated customer reviews and FAQ sections to reinforce perceived legitimacy, while the multi-language URL templating allows the same kit to target fans across Spain, Germany, Colombia, Portugal, France, England, Croatia, and Ecuador simultaneously.
This campaign demonstrates the operational sophistication of modern criminal networks. Rather than deploying amateur standalone pages, the threat actors leverage centralized registration infrastructure and CDN obfuscation to scale rapidly:
Because the registrar assigns these tokens per-account, the presence of identical values across nine independently registered domains is direct evidence that a single entity controls the entire infrastructure. This serves as the primary high-confidence attribution pivot for tracking the campaign's expansion.
Examples include paths like /CpnFuYZK/?adidas-equipacion-espana-mundial-2026.html and /JppXjvVN/?adidas-deutschland-fan-kit-2026.html.
An event spanning three countries requires an enormous logistical footprint, stadium staff, security personnel, translators, production technicians, and hospitality workers. Threat actors exploit this hiring wave by targeting individuals seeking temporary seasonal employment or event-day access credentials.
We identified four fraudulent career portals impersonating FIFA's official recruitment channels. All four domains use the page title "Jobs at FIFA | FIFA Careers" and replicate the visual language of FIFA's legitimate careers page to establish immediate trust.
The four domains share a common operational fingerprint:
While the initial three domains have been taken down or redirected to parking pages, fifajobs[.]com remains fully operational. Our static analysis of its JavaScript bundle reveals that this is not a traditional recruitment fraud campaign, it is a production-grade Adversary-in-the-Middle (AiTM) platform engineered for corporate Google Workspace account takeover.
Attack Flow
1. Booking Lure: The victim selects a job interest.
2. Credential Capture: Clicking "Continue with Google" renders a pixel-perfect clone of Google's sign-in page inside a simulated Chrome browser frame, complete with https://accounts.google.com/signin/v3/ displayed in the address bar.
The kit explicitly rejects personal email providers and displays the error message: "Please use your work or business email." Only corporate or custom-domain accounts are accepted, confirming that the operation targets enterprise environments, not individual consumers.
4. Session Hijack: Once MFA is satisfied, the backend captures the fully authenticated Google session. The victim sees a booking confirmation and never suspects compromise.
C2 Infrastructure
The backend server at fifeq2026eqbackeq.onrender[.]com (hosted on Render.com) was fully operational at the time of analysis.
API confirmed:
The World Cup 2026 is not merely a sporting event, it’s a global social engineering accelerator. The three campaigns documented here share a common flow: leverage emotional urgency, brand trust, and mobile-first behavior to bypass both human judgment and traditional security controls.
What makes these threats particularly dangerous for enterprises is their delivery vector. These campaigns reach employees through personal channels, WhatsApp messages, SMS, social media, and organic search results, entirely outside the visibility of corporate network controls. A fan checking ticket availability or shopping for a jersey on their lunch break becomes an entry point when accessing a corporate resource from a compromised device.
Traditional perimeter defenses, domain blocklists, URL reputation databases, and corporate firewalls are insufficient against this class of threats. The attackers rotate domains within days, hide behind CDN infrastructure, and distribute links through encrypted messaging channels that never touch enterprise networks. When a domain appears on a blacklist, the campaign has already moved to fresh infrastructure.
The domains and infrastructure documented in this report are detected and blocked by Zimperium's Mobile Threat Defense (MTD). Our on-device detection engine identifies phishing domains in real time, providing zero-day protection against newly registered infrastructure before it appears on any blocklist. Whether a link arrives via SMS, QR code, or browser, the threat is intercepted at the moment of interaction, before credentials are submitted or payment data is captured.
The IOCs for this campaign can be found in the following GitHub repository.