{ "type": "Domain", "indicator": "fifa-com.one", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/fifa-com.one", "alexa": "http://www.alexa.com/siteinfo/fifa-com.one", "indicator": "fifa-com.one", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4371624291, "indicator": "fifa-com.one", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "6a0f2fccc0c8a843cba4d859", "name": "The World Cup Fraud Infrastructure is Nearly Three Times Larger Than We First Reported", "description": "The expanded investigation into World Cup phishing infrastructure has revealed a significantly larger and more complex web of fraudulent domains than previously reported. Initially, 79 domains were identified, but further research has expanded that count to at least 222 domains operating across 203 unique IP addresses, which marks an increase of approximately 2.8 times in domain numbers and over 14 times in hosting footprint. The campaign is characterized by at least four separate operator clusters, indicating a distributed network of cybercriminals rather than a single, centralized threat actor.", "modified": "2026-05-21T16:16:12.754000", "created": "2026-05-21T16:16:12.754000", "tags": [ "world cup", "april", "flare", "march", "strong", "flare academy", "cloudflare", "email", "read", "flare platform", "first", "fraud", "spaceship", "demo", "mexico", "footprint", "february" ], "references": [ "https://flare.io/learn/resources/blog/world-cup-fraud-infrastructure-three-times-larger-than-original-reporting" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 4, "IPv4": 5, "domain": 18 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://flare.io/learn/resources/blog/world-cup-fraud-infrastructure-three-times-larger-than-original-reporting" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "6a0f2fccc0c8a843cba4d859", "name": "The World Cup Fraud Infrastructure is Nearly Three Times Larger Than We First Reported", "description": "The expanded investigation into World Cup phishing infrastructure has revealed a significantly larger and more complex web of fraudulent domains than previously reported. Initially, 79 domains were identified, but further research has expanded that count to at least 222 domains operating across 203 unique IP addresses, which marks an increase of approximately 2.8 times in domain numbers and over 14 times in hosting footprint. The campaign is characterized by at least four separate operator clusters, indicating a distributed network of cybercriminals rather than a single, centralized threat actor.", "modified": "2026-05-21T16:16:12.754000", "created": "2026-05-21T16:16:12.754000", "tags": [ "world cup", "april", "flare", "march", "strong", "flare academy", "cloudflare", "email", "read", "flare platform", "first", "fraud", "spaceship", "demo", "mexico", "footprint", "february" ], "references": [ "https://flare.io/learn/resources/blog/world-cup-fraud-infrastructure-three-times-larger-than-original-reporting" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 4, "IPv4": 5, "domain": 18 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "fifa-com.one", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "fifa-com.one", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780204300.1750863 }