The Phishing Campaign Behind the Scams
With the FIFA World Cup 2026 set to kick off on June 11, security researchers and the FBI are warning about a surge in targeted fraud. Group-IB has identified over 4,300 fraudulent domains registered since August 2025, with a single group, referred to as GHOST STADIUM, operating a coordinated campaign across more than 300 of these sites. The operation uses a highly convincing phishing kit that copies FIFA’s official login page, including a cloned single sign-on interface that replicates genuine elements like the PingIdentity client ID. The fake pages even load images directly from FIFA’s servers to evade detection tools. Victims are asked to reset their passwords, which allows attackers to lock users out of their accounts and resell any tickets associated with them.
Impact and Scope of the Threat
The scale of the opportunity for fraudsters is enormous, with over 150 million ticket requests submitted for the tournament, leaving it roughly 30 times oversubscribed. The phishing campaign drives traffic primarily through Facebook ads, Telegram, WhatsApp, and search results. Once on the fake site, the payment process offers five different methods, including direct credit card entry, money transfer apps like Chime and Nequi, and a cryptocurrency conversion option. The crypto option is a strong red flag, as FIFA’s official ticketing system never accepts cryptocurrency, making it harder for victims to recover their funds after a transaction.
Source: The Hacker News
