Co-Author: Ashish Diwakar
The next FIFA World Cup is scheduled to take place in June 2014 in Brazil and phishers have already taken the opportunity to promote the event. World Cups are a favorite of phishers, as observed in the phishing sites focused on the 2010 FIFA World Cup and the 2011 Cricket World Cup. In September 2012, phishing sites spoofed a popular Brazilian credit and debit card company using the 2014 FIFA World Cup as bait.
The phishing sites were in Brazilian Portuguese. A number of the phishing sites featured Brazilian footballer Neymar da Silva. Phishers utilized a recently registered domain, hosted on servers based in Brazil, to create the phishing site.
A message given on the phishing page stated that the company offered $20,000 in prizes and a new car. It also offered zero billing charges on the customer’s card for exclusive trips taken to the 2014 FIFA World Cup in Brazil. Customers were prompted to register for the offer by entering their personal data and credit card details.
The personal data requested included the customer's:
- Name
- CPF (a number related to taxes in Brazil)
- Date of birth
- Email address
- Password
The credit card details requested included the customer's:
- Name on card
- Card number
- Card validation
- Security code
- Bank name
After the required information was entered the phishing site acknowledged the registration with the message, “Congratulation, your registration was successfully completed. Record your protocol number for future reference: World Cup-277200662-2014”.
Any subject with a large fan following such as celebrities, movies, television shows, and sporting events are often featured by phishers. These subjects are targeted because phishers believe that a large audience will lead to more duped users. If customers fell victim to the phishing site, phishers would have successfully stolen their information for financial gain.
Internet users are advised to follow best practices to avoid phishing attacks:
- Do not click on suspicious links in email messages
- Do not provide any personal information when answering an email
- Do not enter personal information in a pop-up page or screen
- Ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar when entering personal or financial information
- Update your security software (such as Norton Internet Security 2012) frequently, which protects you from online phishing