Football fans warned of ticket scam that can intercept OTPs and steal card details
Singaporeans hoping to catch the FIFA World Cup 2026 in person are urged to be extra cautious when buying tickets online.
Cybersecurity researchers have uncovered a scam designed to steal payment information and bypass security checks.
The operation uses fake FIFA ticketing websites that closely resemble the real thing.
These sites are even furnished with tournament news, match schedules, shopping carts, and payment pages.
Image courtesy of CloudSEK
According to a report by cybersecurity firm CloudSEK, the scam goes beyond traditional phishing attempts.
It allows criminals to monitor victims’ actions in real time, capture payment card details, and potentially intercept one-time passwords (OTPs) used for authentication.
Fake FIFA websites made to look convincing
Researchers identified at least 40 websites impersonating FIFA World Cup 2026 ticketing pages.
Source: CloudSEK
Some featured realistic ticket listings, including tickets purportedly for the tournament’s opening ceremony, complete with pricing, seating information and payment options such as Visa, Mastercard, American Express, PayPal, and Apple Pay.
The websites also displayed reassuring messages such as “Secure checkout” and used branding that closely mirrored FIFA’s official website.
CloudSEK said the sites appeared designed to exploit the urgency surrounding ticket sales, particularly as fans search online and through social media for tickets and travel packages.
Image courtesy of CloudSEK
Scam can reportedly capture OTPs in real time
What makes this scam particularly concerning is its reported ability to intercept OTPs.
Instead of merely collecting card details, researchers said the platform functions as a real-time “man-in-the-middle” phishing system.
The fraudulent websites allegedly track users throughout the checkout process, capturing card numbers, expiry dates and CVV codes while also monitoring whether victims proceed to OTP verification pages.
CloudSEK’s report states that the system appears capable of relaying OTPs entered by victims.
This potentially allows scammers to complete transactions or gain access to accounts protected by SMS-based two-factor authentication.
For everyday users, this means that even receiving an OTP request does not necessarily mean a transaction is safe if the entire purchase journey is taking place on a fraudulent website.
In the CloudSEK report, they showed the live card skimming records supposedly from the data centre of these scam sites.
Image courtesy of CloudSEK
Social media users may be especially vulnerable
The report found that much of the traffic to the scam sites appeared to come through social media platforms.
Facebook accounted for an estimated 60% to 65% of observed visits, while Instagram contributed roughly 15%.
Researchers warned that links appearing in social media posts, advertisements, or direct messages may direct users to fake ticketing websites that look almost identical to legitimate FIFA pages.
Victims were observed across multiple countries, including the United States, Australia, Canada, Germany, South Korea, and Hong Kong.
Report points to Chinese-language infrastructure
CloudSEK’s researchers said several indicators suggested the operation was linked to Chinese-speaking operators.
These included administrative systems displayed entirely in Simplified Chinese, repeated access from China-based IP addresses and internal naming conventions within the scam infrastructure.
Image courtesy of CloudSEK
In the report, it referred to the scammers as “Chinese Origin Threat Actors” and said that the likely origin of the threat actor was “China (PRC)”.
However, the report noted that attribution is not definitive and warned that the use of proxies or other methods could complicate efforts to identify those behind the operation.
How Singaporeans can protect themselves
With demand for World Cup tickets expected to remain high, cybersecurity experts urge extra caution.
Fans should be wary of websites with unusual web addresses, especially those containing variations of “FIFA” that differ from the official domain.
Source: FIFA World Cup 26 website
They should also avoid clicking on ticketing links shared through social media posts or messages without first verifying their authenticity.
CloudSEK researcher Gagan Aggarwal said the campaign demonstrates how cybercriminals are increasingly exploiting major global events.
“The threat is no longer limited to fake ticket listings or basic phishing pages,” he said.
“We are now seeing full checkout impersonation, live victim tracking, card skimming and OTP interception capabilities being combined into one operational platform.”
As football fever builds ahead of the World Cup, fans may want to double-check where they are buying tickets from before entering their card details.
Researchers advise to only buy tickets through the official FIFA website and be “extremely wary” of FIFA ticket links shared via Facebook or Instagram.
Also Read: At least 14 BTS concert ticket scam cases reported since 1 June, victims lose over S$11K
At least 14 BTS concert ticket scam cases reported since 1 June, victims lose over S$11K
Have news you must share? Get in touch with us via email at news@mustsharenews.com.
Featured image adapted from CloudSEK.
