The hotly anticipated release of blockbuster video game FIFA 21 on Oct. 6, along with the return of professional play, are giving soccer fans reason to celebrate. And, unsurprisingly, cybercriminals are already figuring out how to capitalize.
A report from researcher Christopher Boyd at Malwarebytes Labs outlined the various ways scammers are tapping into the oversized audience of FIFA 21 to turn a quick buck, including leveraging in-game goods and rewards.
Soccer is the world’s most popular sport, drawing in an estimated 3.5 billion fans all over the globe. Bloomberg reported during the last World Cup that four out of 10 people in the world consider themselves to be fans of the game.
That enthusiasm extends to the blockbuster video gaming franchise, FIFA, named after the sport’s international rules organization. The brand is recognized by the Guinness Book of World Records as the top selling sports video game of all time, with more than 280 million copies of the game sold in at least 51 countries.
The fact that the pandemic has slowed down in-person play (while one of the sport’s brightest stars, Cristiano Ronaldo, tested positive for COVID-19 earlier this week) hasn’t done anything to deter people from immersing themselves in the “beautiful game.” And it’s exactly that devotion and online interest that cybercriminals are leveraging to trick fans into their traps.
In his blog post explanation of his findings, Boyd explained that fraudsters are finding an easy hunting ground through a game mode called FIFA Ultimate Team (FUT).
Within this mode, players can earn “coins” which are used within the game to buy “cards,” which Boyd described as “the lifeblood of the game.”
Phishing page example. Source: Malwarebytes
“So far, so good…and essentially harmless,” he continued. “Unfortunately, the monetized aspects of the game away from the screen contributes to scammers wanting a piece of the action.”
He pointed out there’s something called “FIFA points” which can be bought with real-life money within the game and from legit third parties. This is exactly the type of scenario that tends to grab the attention of fraudsters, he pointed out.
Making matters worse, the gaming environment itself is designed and intended to entice players to want to advance, which ratchets up the player’s coin craving, increasing their vulnerability to scams, Boyd added.
“Anything tied up in real-world cash immediately offers several inroads to fakery,” he said. “Arguments against this style of monetization are also compelling. Desperation for coins/points means potentially being more susceptible to scams.”
Crooks stand up fake coin “gift generators” and scam “rewards” delivered through banner ads, social-media posts, customer-service interventions and direct messages (DMs) — all designed to get players to unwittingly enter in their personal data in order to claim their prizes. Information harvested can include name, address, login credentials and more. Regardless of how players are contacted with the fraudulent offers, all roads lead to phishing pages or some other malicious gambit.
Regarding these nefarious attempts to coax information from users, particularly regarding DMs, Boyd said, “Whatever they claim, rest assured it’s all going to be nonsense,” he warned. “Nobody should ever ask for login credentials, and especially not in such casual fashion. All attempts sent your way should be blocked and reported on your platform. This will help to keep other people safe, too.”
But before grown-ups dismiss these scams as something only kids would be vulnerable to, parents need to also be mindful of these types of fraud. Boyd explained that because parents are usually in charge of making purchases for in-game coins, that can mean accessing a portal from several email accounts.
“Those accounts may also require several steps of authentication to login,” Boyd said. “Eventually, some parents will simply drop some security features in order to make things less of a hoop-jumping exercise.”
Of course, this isn’t new; criminals have been launching attacks using FIFA for cover for years. In 2018, the FIFA World Cup inspired massive spikes in both phishing attempts and spam, often using lures like Ronaldo and his counterpart at FC Barcelona, Lionel Messi. The mega, worldwide event and its enthusiastic fans even kicked off phishing attempts on travel organizations like Booking.com and Alaska Airlines, which saw a jump in traffic in the runup to the tournament.
Soccer and its enormous crowd of deeply committed fans will continue to motivate scammers to try and take advantage. But awareness is the best way that FIFA fans can keep themselves, and their data, safe.
As Boyd put it, “Every small step you make towards keeping scammers out, makes it harder for them to score the winning goal.