ctipilot.ch

Ghost Stadium PhaaS

campaign · campaign:ghost-stadium-phaas-300-fifa-domain-clones-eu-fan-credentials

Ghost Stadium PhaaS — 300+ FIFA domain clones targeting EU fans

Coverage timeline
2
first 2026-05-30 → last 2026-06-01
Entries
2
2 distinct days
Sources cited
8
8 hosts
Sections touched
2
active-threats, weekly-looking-ahead
Co-occurring entities
1
see Related entities below
2026-05-302 appearances2026-06-01

Story timeline

  1. 2026-06-01Looking ahead — 2026-W23
    weekly-looking-aheadLooking ahead — 2026-W23
  2. 2026-05-30Ghost Stadium PhaaS — 300+ FIFA domain clones, multi-language fake SSO, targeting UK/Germany/Portugal/Spain fan credentials before June 11 kickoff
    active-threatsGhost Stadium PhaaS — 300+ FIFA domain clones, multi-language fake SSO, targeting UK/Germany/Portugal/Spain fan credentials before June 11 kickoff

Where this entity is cited

  • active-threats1
  • weekly-looking-ahead1

Source distribution

  • bankinfosecurity.com1 (12%)
  • bleepingcomputer.com1 (12%)
  • cpomagazine.com1 (12%)
  • helpnetsecurity.com1 (12%)
  • ic3.gov1 (12%)
  • keycloak.org1 (12%)
  • ncsc.admin.ch1 (12%)
  • rapid7.com1 (12%)

Related entities

Entries about Ghost Stadium PhaaS (2)

2026-06-01 · view entry permalink →

Looking ahead — 2026-W23

notable outlook discovered 2026-06-01 05:00 UTC

A focused, justified list — not predictions, but items already in motion.

  • June 10 — Patch Tuesday: Chaotic Eclipse patches expected; researcher promises a "big surprise" the same day. YellowKey (CVE-2026-45585, BitLocker bypass via WinRE autofstx.exe), GreenPlasma (CTFMON SYSTEM escalation), and MiniPlasma (CVE-2020-17103, cldflt.sys Cloud Filter LPE) remain unpatched as of 7 June. Microsoft is expected to patch some or all in the June cumulative update. The Chaotic Eclipse researcher has explicitly promised a new disclosure to coincide with June Patch Tuesday — prepare for a simultaneous patch-and-new-zero-day drop. Pre-stage: verify YellowKey mitigation applied (WinRE autofstx.exe removal script or TPM+PIN BitLocker enforcement); monitor Microsoft MSRC on 10 June. (Help Net Security forecast; CPO Magazine)
  • June 11 — CRA notifying-authority deadline AND FIFA World Cup kickoff. The first hard CRA milestone (§8) and the peak Ghost Stadium PhaaS threat arrive simultaneously. Ghost Stadium — a Chinese-speaking PhaaS operation active across 4,300+ fraudulent FIFA domains — has already claimed an estimated 47,000 victims and up to $1 billion in losses ahead of the kickoff (BankInfoSecurity, 2026-06-05; FBI IC3 PSA260527). The SSO-clone technique replicates PingIdentity login flows — corporate SSO credentials are at risk if employees mistake a sponsored-search-result phishing portal for an enterprise login. Defenders: add FIFA-themed domain alerts to email-gateway and DNS-filtering, block fifa.com typosquats at the proxy, and brief staff on avoiding paid/sponsored results for sports ticket purchases.
  • June 15–17 — G7 Évian summit: pre-stage DDoS mitigations now. NCSC-CH expects hacktivist disruptive cyberspace operations on each summit day, following the NoName057(16) pattern from Bürgenstock 2024 (NCSC-CH). Organisations in the Geneva–Vaud corridor and Swiss federal/cantonal SOCs should verify DDoS mitigation playbooks, review MFA on customer-facing identity providers, and rotate administrative credentials before the event window.
  • Gogs argument-injection RCE: still unpatched, Metasploit module public, 319 European instances exposed. The Rapid7-discovered pull-request-merge argument injection flaw remains unpatched; the Gogs maintainer has been silent since acknowledging receipt on 28 March. The Metasploit module availability means this will appear in opportunistic scan-and-exploit campaigns. Any internet-facing Gogs instance should have open registration disabled and the "Rebase before merging" strategy restricted to trusted owners. (Rapid7)
  • Keycloak 26.6.3 rollout: CVE-2026-9704 token-exchange priv-esc and CVE-2026-4874 SSRF are immediate patch priorities for internet-reachable instances. Any e-government SSO, SAML federation, or OIDC brokering service running Keycloak < 26.6.3 should complete the upgrade before the G7 event window. (Keycloak; daily 2026-06-07)
cloud lpe rce phishing identity ddos global

2026-05-30 · view entry permalink →

Ghost Stadium PhaaS — 300+ FIFA domain clones, multi-language fake SSO, targeting UK/Germany/Portugal/Spain fan credentials before June 11 kickoff

high threat discovered 2026-05-30 05:00 UTC

The FBI issued PSA260527 on 27 May 2026 warning that a Chinese-speaking financially-motivated threat actor tracked by Group-IB as Ghost Stadium has deployed more than 300 phishing sites impersonating fifa.com, all reproducing the official site pixel-for-pixel including a fake single-sign-on authentication flow in multiple languages (FBI IC3 PSA260527, 2026-05-27; BleepingComputer, 2026-05-28). Typosquatted domains span alternative TLDs (.org, .xyz, .live, .sale) and character substitutions; additional fake employment portals impersonate FIFA HR functions. Criminal objectives include credential and financial-data theft via the fake SSO, counterfeit ticket and hospitality sales, fake merchandise and streaming-rights fraud. UK, Germany, Portugal, and Spain are explicitly named as target demographics. Browser-based security controls (Safe Browsing, SmartScreen) do not protect against freshly-registered domains before abuse is reported. For defenders at organisations with large employee populations purchasing World Cup tickets: advise bookmarking https://www.fifa.com directly; treat any search-result-sponsored result for FIFA ticket purchases as unverified. The high-intensity fraud window is the lead-up to the July 19 final.

phishing organized-crime china-nexus europe uk global