Fact: large sporting events spark a lot of attention. And nothing more so than the World Cup. Fans go wild, questionable football puns dominate the headlines, and pretty much every product you’ve ever bought releases a ‘FIFA World Cup 2018’ edition.
As 32 nations geared themselves up for the tournament that kicked off last week, thousands of hackers and scammers are aiming to score a victory of their own – tricking unsuspecting fans into parting way with their cash or personal data. And what better event to cash in on than the most popular fixture in the sporting calendar. An event so emotive that it brought grown adults to tears after the dramatic 2014 semi-final.
So what tricks have scammers got in store for you this year and what mobile attacks should you be wary of? Security researchers at Wandera are most concerned about mobile phishing, and here’s why.

Hackers know that in the excitement of the moment, otherwise cautious internet users will neglect security best practices in order to stream a game, make a bet or download an app that gets them closer to the actionSantiago Torres, Senior Mobility Specialist at Wandera

 Bet on being phished this World Cup

Everyone likes to win. So much so an entire industry has been crafted around it. The gambling market is so huge, that it’s expected to yield more than $500 billion dollars globally by the end of this year. As a result, the use of mobile gambling applications has grown exponentially. To the point where it’s now possible to play a game of poker, place a quick bet or check the odds on a sporting event from almost any location in the world. All that you need is a device, a bank account and an internet connection. However, security researchers at Wandera have noted that malicious groups are exploiting this popularity within their phishing campaigns.

Picture this…

You have two minutes until the game starts. You’ve just discovered that Belgium’s Courtios got injured in training and Brazil might have more of a chance than first expected. There’s only 120 seconds left to make a bet and odds are pretty good if you get it in before kickoff. You notice an ad from BetFair popup advertising cash back when you place a bet in the next 24 hours and you take it as a sign. Below is an example of a live phishing attack that Wandera’s machine intelligence and analytics engine, MI:RIAM, detected within its global network of devices.
Full of trepidation you click through on the email and are taken through to their mobile site to login to your account. Everything seems fine, you tap in your card details and voila, it’s done.
betfair phishing.
Except wait – it doesn’t take you through the usual confirmation page. Instead, it lingers on a payment page which doesn’t really go anywhere. On closer inspection you realised that you scored an own goal – you just got phished. The attacker now has your login and password (which you may use for other sites) and all your card details.
Campaigns impersonating legitimate gambling companies are a deception technique for attackers as they capitalize on the fact that your guard is likely to be down. And then hit you where it hurts. The problem is so bad that even BetFair themselves have created a video teaching their users how to stay safe online. 
Below are the top five gambling brands impersonated within our network, from a sample of phishing target pages MI:RIAM analyzed and blocked from the month of May 2018. The research also brought to light that the number of new phishing target pages imitating the gambling sector increased by 67% from May to June 2018.

world cup scams, the number of new phishing gambling pages created by week.

The growth of mobile phishing

Mobile phishing is the number one threat facing organizations right now. And the number of attacks have exploded in the past few years with a new target page being created every 20 seconds. That’s over 4,000 fresh new phishing pages being created each day, on top of the large numbers of phishing sites already in circulation. Why are these numbers so high?
Firstly, it’s easier for an attacker to exploit a person via a phishing attack, than it is to exploit the relatively robust mobile operating systems – especially iOS. Most web traffic now happens on mobile. Therefore it doesn’t come as a shock that hackers use this to their advantage by crafting attacks specific to a mobile platform. Mobile devices have smaller screens and feature a number of visual shortcuts, meaning spotting suspicious URLs or malicious senders is far more difficult than on desktop. Users are also more distracted and vulnerable on mobile devices due to their portable nature and inherently personal feel.

How to protect yourself from mobile phishing

As you can see, these fake sites are very convincing. However, there are a number of things you can do to secure yourself online. Part of the issue is education, and part of it is infrastructure. Take our phishing quiz to see how you fare against the fakes.
Wandera’s threat detection technology monitors and blocks traffic in transit, blocking phishing attacks wherever they originate – including in apps like WhatsApp or Facebook and in the browser. Unlike app-centric solutions, it doesn’t have to be open on the device and doesn’t rely on updates to keep users safe from the latest threats.

To learn more about the complex world of mobile phishing and how to defend against threats within your organization, get in touch with one of our mobility experts today.

Learn more about phishing on mobile:

Zero-day phishing powered by MI:RIAM
Top 5 phishing TLDs
How hackers are using phishing to bypass two-factor authentication
Call Me Maybe: iOS Suggested Contacts feature can be used to phish
[text-blocks id=”mobile-phishing-report-2018″]