Fake FIFA World Cup Sites Target Soccer Fans with Phishing Kits and Typosquatting Domains
ESET researchers uncovered a network of fraudulent FIFA World Cup websites using typosquatting and phishing kits to steal money and personal data from fans seeking tickets and merchandise ahead of the 2026 tournament.
ESET researchers have uncovered a sprawling network of fake FIFA World Cup websites designed to steal money and personal data from soccer fans hunting for tickets and merchandise. The fraudulent sites closely mimic official sales portals, tricking victims into entering payment details and login credentials. The campaign, active ahead of the 2026 World Cup, leverages sophisticated phishing kits and typosquatting domains to lure unsuspecting users.
The attack vector relies on brand impersonation via lookalike domains that differ from the official FIFA site by just a few characters. For example, domains like "fifa-worldcup2026[.]com" or "fifaworldcuptickets[.]org" redirect users to pages that replicate the look and feel of legitimate FIFA ticket and merchandise stores. Once victims attempt to purchase tickets or merchandise, they are prompted to enter credit card numbers, billing addresses, and even login credentials for FIFA accounts.
ESET's analysis reveals that the phishing kits behind these sites are modular and include features such as real-time credential capture, payment form harvesting, and redirection to legitimate pages after data theft to avoid immediate suspicion. The kits are hosted on compromised web servers and use SSL certificates to appear trustworthy. The campaign appears to be automated, with new domains registered daily and indexed by search engines to attract organic traffic.
The impact is potentially massive, given the global popularity of the World Cup and the high demand for tickets. Fans who fall victim may suffer financial loss, identity theft, or account takeover. The stolen credentials could also be used for further fraud, including accessing other online services where victims reuse passwords. ESET warns that the campaign is likely to intensify as the tournament approaches, with attackers refining their techniques to evade detection.
No specific CVE is associated with this campaign, as it relies on social engineering rather than software vulnerabilities. However, the attack vector—brand impersonation via typosquatting and phishing kits—is well-documented and increasingly common for major events. ESET recommends that fans only purchase tickets and merchandise through official FIFA channels, verify URLs carefully, and enable multi-factor authentication on their accounts.
This campaign fits a broader pattern of cybercriminals exploiting major sporting events, including the Olympics and the Super Bowl, to defraud fans. The 2026 World Cup, co-hosted by the United States, Canada, and Mexico, presents a particularly large attack surface due to its scale and the influx of international visitors. Law enforcement and cybersecurity agencies are likely to ramp up takedown efforts, but the rapid proliferation of new domains makes complete eradication challenging.
For now, soccer fans are urged to remain vigilant and report suspicious websites to authorities. ESET's findings serve as a timely reminder that even the most anticipated events can be weaponized by cybercriminals, and that a healthy dose of skepticism is the best defense against these increasingly convincing scams.