World Cup 2026: Early Kickoff for Phishing and Banking Trojans

Just saw the latest advisory regarding the wave of FIFA World Cup 2026 scams. It’s barely June and we're already seeing thousands of lookalike domains and credential harvesting kits hitting the wild. The report highlights banking trojans embedded within pirate streaming apps—a classic social engineering vector that still works alarmingly well.

From a defensive standpoint, this is a nightmare for brand protection and endpoint security. The attackers are cloning the official FIFA login pages with high accuracy, making standard visual phishing detection difficult. We've started blocking access to unauthorized streaming categories at the proxy level, but the mobile side is tricky with sideloaded APKs.

For those hunting for these domains, simple fuzzy matching might not catch the homograph attacks (IDN). Here is a quick Python snippet to help flag potential mixed-script domains in your logs or blocklists:

import unicodedata

def detect_mixed_script(domain):
    scripts = set()
    for char in domain:
        if char.isalpha():
            name = unicodedata.name(char, '')
            script = name.split(' ')[0]  # Extracts 'LATIN', 'CYRILLIC', etc.
            scripts.add(script)
    return len(scripts) > 1

# Example check on a suspicious domain
suspicious = "fifa-worIdcup.com" # Note the potential homograph
if detect_mixed_script(suspicious):
    print(f"ALERT: Mixed script detected in {suspicious}")

Are you guys seeing specific IOCs for the banking malware families yet, or is it just a mix of the usual suspects like ERMAC or Xenomorph?