As a cloud of uncertainty still hangs over the opening of the Tokyo 2020 Olympics due to the Coronavirus pandemic, cyber criminals are still working (remotely) on finding ways to maliciously profit from the event.
Events at the center of global attention such as major sports events and tournaments are often used by attackers to trick users into phishing scams, malware campaigns and the theft of personal and payment details.
We have been monitoring potential threats to the upcoming Tokyo 2020 Olympics for our customers and we recently discovered two suspicious domains allegedly selling tickets for the Games. In both cases, further investigation led us to find additional suspicious domains allegedly selling tickets to the Euro 2020 tournament. In this blog post you can find a summary of our findings.
The domain tickets-tokyo2020[.]com was created on February 11, 2020 by a private registrant at the NICENIC INTERNATIONAL GROUP domain registrar.
When accessing the domain, the user is presented with a page in Russian where the official logo of the 2020 Tokyo Olympics appears. It is also stated that this website is an “authorized Ticket Reseller” for the Olympics. However, we could not find this domain in the list of authorized resellers on the official website of the 2020 Olympics. The user can change the language of the website to English and the website contains search fields, where the user can search for a specific event in the Olympics, for which they are looking to purchase tickets. At the time of publishing this post, the search option does not appear to function, thus, it is possible the website is still under development. There is also a “cart” banner where the user is supposed to be able to view the selected tickets and pay for them.
This domain is hosted on the 5.45.72[.]40 IP address, together with only two more domains: ticket-mafia[.]com and euro-2020-tickets[.]com. The ticket-mafia[.]com domain was created on November 2016, and until December 20, 2019, it was registered by a private registrant at the GoDaddy domain registrar. However, on December 20, 2019, its registry was updated by a private registrant and was registered at the same domain registrar as the tickets-tokyo2020[.]com domain, NICENIC INTERNATIONAL GROUP.
The ticket-mafia[.]com domain displays a login page in Russian. It is worth mentioning that when inserting HTTPS:// before the tickets-tokyo2020[.]com domain, we were presented with the same login page of ticket-mafia[.]com. There is no option to sign up and therefore we believe it is designed for a user with preset login credentials, presumably the admin of the websites. We estimate the login page leads to a backend dashboard of some kind, although it remains unknown whether it is used for legitimate purposes or not.
The euro-2020-tickets[.]com domain was created on January 6, 2020, by a private registrant and is also registered at the NICENIC INTERNATIONAL GROUP domain registrar. This website resembles the tickets-tokyo2020[.]com: it is also presented in Russian and uses the official UEFA Euro 2020 logo, it enables the user to switch the language to English and it allows users to search for a specific match. However, in this case, the search function does work. Upon selecting a match and a seat, the user can select the “order” function and enter his name, phone number and email address and move on to the payment, yet the “Go to the payment” button does not work, as of the time of publishing this post. Of note, the official UEFA Euro 2020 website specifically states that “Third-party ticketing websites and secondary ticketing platforms are not authorized to sell tickets for UEFA EURO 2020”. Thus, it appears this website is not an official Euro 2020 tickets reseller and is not authorized to offer tickets for the tournament for sale.
In light of these findings, we estimate that the above domains were created by the same actor. Our investigation did not reveal any malicious activity associated with these domains. However, it appears that these are not official resellers of tickets for the two events. In addition, as the search function in the Tokyo 2020 domain and the payment function in the Euro 2020 domain do not work, it appears that these domains are still under development, and thus could materialize into a more serious threat in the future.
The code of a malicious HTML file recently uploaded to the VirusTotal platform, contained a link to the olympic2020tickets[.]com domain. This domain does not appear in the official website of the Tokyo 2020 Olympics as an official and authorized reseller. The website offers users to buy or sell tickets to the 2020 Tokyo Olympics. The website also displays the logos of some of the Olympics’ official sponsors, such as Toyota, Panasonic, Visa, Alibaba Group, and more. The use of the logos of the sponsors can increase the credibility of the website in the eyes of visitors, and trick them into thinking the website is a legitimate and official ticket reseller for the Games.
None of the Whois details of the three domains, reveal the identity of the registrant. However, we noticed that two of the domains, olympic2020tickets[.]com and ticketsmarketplace[.]co.uk, are hosted on the same IP address, 126.96.36.199, while eurosportstickets[.]com is hosted on the approximate 188.8.131.52 IP address.
Using the graph function of VirusTotal, we managed to establish connections between the three domains and the IP addresses they are hosted on, as can be seen below. The graph also shows how this infrastructure is related to malicious activity, and how both IP addresses are used for downloading malware, such as the Tofsee backdoor, the Artemis malware or the QRat.