1 of 2 – WEB THREAT SPOTLIGHT

Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime.

Figure 1. FIFA-related spam run infection diagram

ISSUE NO. 65 JUNE 7, 2010

FIFA Spam Targets Football Fanatics Football season is definitely upon us. Football fanatics worldwide are all set to cheer for their teams and to proudly display their colors. Even the players are intensifying their training and solidifying their strategies. With just days left before the highly anticipated opening of the “Fédération Internationale de Football Association (FIFA) 2010 World Cup,” the world can expect that even cybercriminals will step up their game.

The Threat Defined Cybercriminals have long been leveraging sports events for their profiteering schemes. The list of such attacks include those related to the “2008 European Soccer Championships”; the Pacquiao-Clottey boxing match; the “2010 Vancouver Winter Olympics”; and the upcoming “2012 London Olympics,” spam for which made the inbox rounds four years before the actual event is even set to take place.

Riding on the popularity of sports events is a tried-and-tested technique that cybercriminals continue to use even now. The “2010 FIFA World Cup” is no exception. In January 2009, an early 2010 FIFA spam tried to trick recipients into believing they won an online sweepstakes draw. More recently, TrendLabsSM engineers encountered two separate spam runs leveraging the upcoming “2010 FIFA World Cup.”

Two Players, One Goal The first spam sample instructed users to open and view a .DOC file attachment to learn more about the supposed FIFA-organized “Final Draw” contest’s prizes. The file also informs the recipients about a US$550,000 prize that seven lucky winners will receive should their names be drawn. To claim their prizes, however, the “winners” must immediately coordinate with a releasing agent via the contact information indicated in the email. The said winners must also provide the requested data, which includes personally identifiable information (PII) such as their marital status, company name, email address, and full mailing address.

The second spam sample arrived with a .PDF file attachment, a poorly worded letter asking the recipients to divulge specific information in relation to a supposed fund transfer transaction worth US$10.5 million. Upon agreeing to the proposal, the recipients should supposedly get 30 percent of the said amount, reminiscent of the infamous 419 or Nigerian scam, which persuaded users to send cash in exchange for a larger amount of money in return for their cooperation.

The Laws of the Spamming Game Over the years, spammers have been refining their techniques and been resorting to a variety of social engineering tactics in order to trick users into clicking malicious links or into downloading malicious files. The most popular spamming techniques include sending out medical or pharmaceutical ads, holiday-related messages, bogus email notifications, and messages leveraging timely newsworthy events.

2 of 2 – WEB THREAT SPOTLIGHT

Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime.

Despite ever-evolving tactics, however, spammed messages exist for one reason alone, that is, to further cybercriminals’ malicious schemes. The arrival of spammed messages in users’ inboxes alongside legitimate email messages increases the probability that the recipients would open even the malicious mail. Furthermore, the varying techniques spammers use to create malicious messages is an added challenge to users and security experts alike when classifying messages.

User Risks and Exposure The “2010 FIFA World Cup” is slated to open on June 11 in South Africa. Since this is the first time the games will be held on African soil, it can be expected that football fanatics—and possibly even other Africans remotely interested in the game—will constantly be on the lookout for news about the event. Add to this the fact that FIFA games are mostly well attended. This year’s event has an expected audience of 3 million international visitors and as many as 400 million live television viewers. While a good portion of these figures includes a chunk of the 265 million football players worldwide, it still cannot be denied that the “World Cup” does draw in a crowd.

Also noteworthy is the fact that the official “World Cup” site, fifa.com, has received a noticeable increase in hits beginning April. Based on the site statistics, the top search queries include “FIFA” and “world cup 2010”—the same keywords that spammers are using in related attacks. The numbers from Google Trends likewise show that interest in the phrase “world cup” has increased by three times over the 2010 average as of this writing.

With millions of fans actively searching the Internet for more information on the “World Cup,” it is no surprise that cybercriminals are likewise maximizing the Web to further their malicious activities. By consistently leveraging hot topics, cybercriminals are likewise ensuring the continued profitability of their schemes.

This widespread attraction increases the potential harm that spammed messages leveraging the event pose. These FIFA-related scams can already be considered part of football tradition, given the fact that they are a recurrent part of the threat—and even the football landscape. In fact, even FIFA has issued a warning that fans should be wary of email scams and Internet hoaxes.

While in both spam runs, the messages did not directly ask for cash, arrive with malware, or led to malicious sites, they did pose identity theft risks to users. By requesting PII from the recipients, users’ private information and security may be compromised.

Trend Micro Solutions and Recommendations Trend Micro™ Smart Protection Network™ infrastructure delivers security that is smarter than conventional approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network™ combines unique in-the-cloud reputation technologies with patent-pending threat correlation technology to immediately and automatically protect your information wherever you connect.

In this attack, Smart Protection Network’s email reputation technology blocks all emails related to the spam runs. The following post at the TrendLabs Malware Blog discusses this threat: http://blog.trendmicro.com/latest-online-scam-targets-fifa-fans/ Other related posts are found here: http://blog.trendmicro.com/spam-buys-tickets-to-euro-2008/ http://blog.trendmicro.com/pacquiao-clottey-live-streams-lead-to-fakeav/ http://blog.trendmicro.com/search-for-“winter-olympics”-and-take-your-pick—fakeav-or-bogus-windows-media-player-updates/ http://blog.trendmicro.com/a-very-early-london-olympics-scam/ http://blog.trendmicro.com/scammers-attempt-to-score-through-the-fifa-world-cup/ http://www.419scam.org/emails/2009-06/30/00934224.4.htm http://blog.trendmicro.com/fake-pharma-ads-flood-inboxes-again/ http://blog.trendmicro.com/spammers-celebrate-mothers’-day/ http://blog.trendmicro.com/fake-it-email-notification-spreads-malicious-pdf/ http://blog.trendmicro.com/shanghai-expo-spam-carries-backdoor/ http://blog.trendmicro.com/category/spam/ http://www.southafrica.info/2010/worldcup-overview.htm http://www.goal.com/en/news/1863/world-cup-2010/2010/05/29/1947801/world-cup-viewing-figures-prove-that-this-really-is-the- http://www.fifa.com/worldfootball/bigcount/index.html http://www.alexa.com/siteinfo/fifa.com http://www.google.com/trends?q=World+Cup&ctab=0&geo=all&date=2010&sort=0 http://www.theregister.co.uk/2010/06/01/world_cup_net_threats/ http://www.fifa.com/worldcup/organisation/ticketing/authorisedticket.html