Chinese‑Speaking Phishing Campaign Clones FIFA Site, Targets 2026 World Cup Ticket Buyers
What Happened — A fraud group dubbed “GHOST STADIUM” operates more than 300 active domains that mimic FIFA’s official ticketing portal. The sites harvest login credentials and payment data from fans seeking 2026 World Cup tickets, and also sell counterfeit tickets, streaming services, and unlicensed gambling. Researchers estimate potential losses of $71 million‑$474 million from premium‑ticket fraud alone.
Why It Matters for TPRM —
- Credential theft can compromise downstream partners (payment processors, ticket distributors).
- Fraudulent domains damage brand reputation and may expose your organization to legal liability.
- The scale of the operation shows how quickly a supply‑chain of ticket‑related services can be weaponized.
Who Is Affected — Sports & entertainment ticketing platforms, payment gateways, hospitality providers, and any third‑party services integrated with FIFA’s ticketing ecosystem.
Recommended Actions —
- Verify that all ticket‑sale and payment URLs used by your vendors are on an approved whitelist.
- Implement multi‑factor authentication and monitor for credential‑reuse alerts.
- Conduct phishing‑simulation training for staff and customers handling ticket purchases.
- Review contracts for fraud‑risk clauses and ensure incident‑response procedures cover credential‑compromise scenarios.
Technical Notes — The phishing kit is built with the Layui 2.7.6m UI library and replicates FIFA’s authentication flow, silently redirecting users back to the legitimate site after credential capture. Shared SSL certificates and identical Meta‑Pixel IDs link the entire domain network to a single Facebook ad account, indicating coordinated advertising. No known CVE is involved; the attack relies on social engineering and UI cloning.
Source: The Record – Chinese‑speaking fraud gang could be stealing millions from 2026 World Cup fans