Listen to this Post

Introduction:
The 2026 FIFA World Cup has become a prime hunting ground for cybercriminals, with a sophisticated phishing campaign leveraging the tournament’s massive global popularity to steal personally identifiable information (PII) and payment card details. Palo Alto Networks Unit 42 has identified a large-scale operation where threat actors send authentication-passing emails that redirect victims through geo-cloaked intermediary domains before landing on fake “reward” checkout pages. Unlike traditional credential-harvesting attacks, this campaign focuses exclusively on financial data theft, exfiltrating full payment card numbers, CVV codes, and expiration dates to a backend API endpoint. This article provides a comprehensive technical breakdown of the attack chain, actionable detection strategies, and defensive measures for security professionals and everyday users alike.
Learning Objectives:
- Understand the complete kill chain of the FIFA-themed phishing scam, from initial email delivery to data exfiltration
- Identify and analyze the geo-cloaking techniques used to evade sandbox detection and region-filter victims
- Learn how to extract and investigate Indicators of Compromise (IOCs) including domains, IP addresses, and URL patterns
- Implement defensive strategies including email filtering, DNS blocking, and user awareness training
- Apply practical Linux and Windows commands to analyze phishing infrastructure and monitor for similar threats
You Should Know:
- The Attack Chain: From FIFA Hype to Credit Card Theft
The campaign begins with a lure email that capitalizes on the excitement surrounding the 2026 FIFA World Cup, offering a “Champion Reward” survey or free prize. These emails originate from an authentication-passing mailer at adfluxi[.]com, which allows them to bypass many standard email security filters. When a recipient clicks the embedded link, they are redirected through a series of malicious domains before reaching the final phishing page.
The redirection chain is designed to evade detection and filter victims based on their geographic location. The initial redirect leads to a geo-cloaked redirector that checks the visitor’s IP address and user agent. Visitors outside the United States or those identified as security sandboxes are routed to decoy sites that appear innocuous, while legitimate US-based visitors are sent to the fake “reward” checkout pages. This technique makes it difficult for security researchers to discover the actual phishing infrastructure, as automated scanners and non-US analysts are shown harmless content.
The final stage of the attack involves a convincing fake reward page that mimics a legitimate promotional offer. Victims are prompted to enter their full name, billing address, and complete payment card details including PAN, CVV, and expiration date. This information is then exfiltrated via a POST request to hxxps[:]//gocellbel[.]com/api/orders. The operation is monetized through affiliate ID 1189, indicating a cost-per-action (CPA) model where the fraudsters earn commissions for each successfully stolen card.
Step-by-Step Guide: Analyzing the Phishing Infrastructure
To investigate this campaign, security analysts can follow these steps:
- Extract Email Headers: Obtain the full email headers from a reported phishing email. Look for the sending IP address (identified as `20.38.0[.]172` in this campaign) and the originating domain (
adfluxi[.]com). -
Trace Redirect Chains: Use `curl -v` or a browser’s developer tools to follow the redirect chain. Start from the link in the email and note each intermediate domain.
-
Analyze Geo-Cloaking: Use VPNs or proxy services to test the phishing URL from different geographic locations. Compare the responses from US-based IPs versus non-US IPs.
-
Inspect JavaScript Payloads: The initial redirect stub is hosted at `storage.googleapis[.]com/id-us/index[.]html` and is only 485 bytes in size. This lightweight JavaScript performs the geo-targeting logic before forwarding victims.
-
Monitor Network Traffic: Use tools like Wireshark or Burp Suite to capture the POST request to the exfiltration endpoint at
gocellbel[.]com/api/orders.
2. Indicators of Compromise (IOCs) and Threat Intelligence
The following indicators have been identified as part of this campaign and should be blocked or monitored within enterprise security controls:
Malicious Domains:
– `adfluxi[.]com` – Email sender/mailer domain
– `c7wbclk[.]com` – CPA conversion postback (?nid=2106)
– `curatedfindscorner[.]com` – PII lead capture (vacuum) page
– `curll[.]eu` – EU twin tracker/redirector
– `curll[.]us` – Open-tracking + geo/ASN cloaking redirector
– `gocellbel[.]com` – Card/PII exfiltration backend (/api/orders)
– `insighthepanel[.]com` – Secondary CPA tracker (oho=t2.)
– `lokupatthstrs[.]com` – Primary CPA smartlink
– `opinioncashzone[.]com` – CPA tracker (aff_id=1189)
– `surveysreswards[.]com` – Survey-router (lifini.)
– `tryomnitecc[.]com` – Card + PII harvesting (smartband)
Malicious URLs:
– `hxxps[:]//storage.googleapis[.]com/id-us/index[.]html` – 485-byte JS redirector stub → `curll[.]us`
– `hxxps[:]//storage.googleapis[.]com/id-eu/` – EU twin redirector bucket
– `hxxps[:]//gocellbel[.]com/api/orders` – Card/PII POST/exfiltration endpoint
– `hxxps[:]//c7wbclk[.]com/?nid=2106` – Conversion postback
Sending IP Address:
– `20.38.0[.]172`
Security teams should implement DNS sinkholing or block these domains at the network perimeter. Email security gateways should be configured to flag or quarantine messages originating from `adfluxi[.]com` and its subdomains.
Step-by-Step Guide: Blocking IOCs Using Linux and Windows Commands
Linux (Using iptables and /etc/hosts):
Block domains via /etc/hosts echo "127.0.0.1 adfluxi.com" >> /etc/hosts echo "127.0.0.1 c7wbclk.com" >> /etc/hosts echo "127.0.0.1 curatedfindscorner.com" >> /etc/hosts echo "127.0.0.1 curll.eu" >> /etc/hosts echo "127.0.0.1 curll.us" >> /etc/hosts echo "127.0.0.1 gocellbel.com" >> /etc/hosts Block IP address via iptables iptables -A INPUT -s 20.38.0.172 -j DROP iptables -A OUTPUT -d 20.38.0.172 -j DROP Block domains using iptables string matching (requires xt_string module) iptables -I FORWARD -m string --string "gocellbel.com" --algo bm -j DROP
Windows (Using PowerShell and hosts file):
Add entries to hosts file (run as Administrator) $hostsPath = "$env:windir\System32\drivers\etc\hosts" $entries = @( "127.0.0.1 adfluxi.com", "127.0.0.1 c7wbclk.com", "127.0.0.1 curatedfindscorner.com", "127.0.0.1 curll.eu", "127.0.0.1 curll.us", "127.0.0.1 gocellbel.com" ) Add-Content -Path $hostsPath -Value $entries Block IP using Windows Firewall New-1etFirewallRule -DisplayName "Block FIFA Phishing IP" -Direction Inbound -RemoteAddress 20.38.0.172 -Action Block New-1etFirewallRule -DisplayName "Block FIFA Phishing IP Outbound" -Direction Outbound -RemoteAddress 20.38.0.172 -Action Block
3. Defensive Strategies and Mitigation
Organizations and individuals can protect themselves against this and similar phishing campaigns through a combination of technical controls and user education.
Email Filtering and Authentication: Implement strict SPF, DKIM, and DMARC policies to prevent domain spoofing. Configure email security gateways to flag messages with suspicious sender domains or those that fail authentication checks. Consider blocking emails containing URLs with newly registered or suspicious domains.
Web Filtering and DNS Security: Deploy DNS security solutions that can detect and block access to known malicious domains. Regularly update threat intelligence feeds with IOCs from this campaign. Consider using browser extensions that warn users when they visit known phishing sites.
User Awareness Training: Educate users about the risks of unsolicited “reward” or “survey” emails, especially those tied to major events like the FIFA World Cup. Emphasize that legitimate organizations never request full payment card details via email or third-party survey pages. Train users to hover over links to preview the actual destination URL before clicking.
Geo-Cloaking Detection: Security teams should test their phishing detection capabilities by accessing suspicious URLs from multiple geographic locations. If a URL behaves differently based on the visitor’s location, it is a strong indicator of malicious intent. Consider implementing automated systems that scan URLs from diverse IP ranges to identify geo-cloaked content.
4. Advanced Analysis: Decoding the Technical Infrastructure
The sophistication of this campaign lies in its layered infrastructure and evasion techniques. Let’s examine each component in detail.
Authentication-Passing Mailer (adfluxi[.]com): The email sender domain is configured to pass SPF and DKIM checks, making the emails appear legitimate to most spam filters. This is achieved by properly configuring the domain’s DNS records to authorize the sending IP address. Security teams should not rely solely on authentication checks and should incorporate behavioral analysis and reputation scoring.
Geo-Cloaked Redirector (curll[.]us): This domain acts as the primary gatekeeper, performing real-time geo-IP lookups and user-agent analysis. The redirector checks:
– The visitor’s country (US vs. non-US)
– Whether the visitor is using a known security sandbox or VPN
– The visitor’s ASN (Autonomous System Number)
Based on these factors, the redirector either sends the visitor to a decoy site or to the fake reward page. This makes it extremely difficult for automated scanners to detect the malicious content, as they are typically located outside the US or use known VPN IP ranges.
CPA Conversion Tracking (c7wbclk[.]com and opinioncashzone[.]com): The campaign is monetized through cost-per-action (CPA) affiliate networks. Each successful credit card submission triggers a conversion postback to these domains, allowing the fraudsters to track their earnings. The affiliate ID `1189` is used across multiple tracker domains.
Data Exfiltration Endpoint (gocellbel[.]com/api/orders): Stolen payment card data is sent to this backend API endpoint via HTTPS POST requests. The use of HTTPS encryption makes it difficult for network monitoring tools to inspect the exfiltrated data without SSL decryption.
Step-by-Step Guide: Analyzing Phishing Infrastructure with Wireshark and Burp Suite
Using Wireshark (Network Traffic Analysis):
- Capture network traffic while visiting the phishing URL: `tshark -i eth0 -w phishing.pcap`
2. Filter for HTTP/HTTPS traffic: `http or tls`
- Look for POST requests to
gocellbel.com: `http.request.method == “POST” and http.host contains “gocellbel”`
4. Extract the payload data from the POST request to identify what information is being exfiltrated
Using Burp Suite (Web Proxy Analysis):
1. Configure Burp Suite as an intercepting proxy
- Navigate to the phishing URL through the proxy
- Follow the redirect chain manually, noting each intermediate domain
- Inspect the JavaScript code from `storage.googleapis[.]com/id-us/index[.]html` for the geo-cloaking logic
- Submit test data to the fake reward page and capture the POST request to `gocellbel.com/api/orders`
6. Analyze the request body to understand the data format being exfiltrated -
The Broader Threat Landscape: FIFA 2026 Fraud Ecosystem
This campaign is part of a much larger wave of FIFA-themed cybercrime. Researchers have identified over 4,000 fraudulent FIFA-related domains registered since August 2025. Threat actors are employing a wide range of tactics including:
- Fake Ticket Scams: Cloned FIFA ticketing platforms with real-time card skimming and OTP interception capabilities
- Brand Impersonation: Websites that closely resemble FIFA’s official platform to steal PII and payment details
- Phishing-as-a-Service: Ready-made scam kits and ticket-buying bots available on underground markets
- Social Media Impersonation: Fraudulent ad campaigns on Facebook and Instagram pushing counterfeit merchandise and phishing pages
The geographic spread of the 2026 games across multiple US cities has multiplied opportunities for transit-themed fraud and localized scams. The FBI has issued warnings about domains spoofing the legitimate FIFA website and anticipates additional fake domains to emerge throughout the tournament.
- Practical Mitigation: Linux and Windows Commands for Monitoring and Defense
Linux: Monitoring Suspicious Network Connections
Monitor real-time network connections for suspicious domains watch -1 1 'ss -tunap | grep -E "adfluxi|gocellbel|curll"' Check for DNS queries to malicious domains tcpdump -i any -1 port 53 | grep -E "adfluxi|gocellbel|curll" Use nslookup to verify domain resolutions for domain in adfluxi.com gocellbel.com curll.us; do nslookup $domain done Query WHOIS information for threat intelligence whois adfluxi.com whois gocellbel.com
Windows: Using PowerShell for Threat Hunting
Check DNS cache for malicious domains
Get-DnsClientCache | Where-Object {$_.Entry -match "adfluxi|gocellbel|curll"}
Monitor active network connections
Get-1etTCPConnection | Where-Object {$_.RemoteAddress -match "20.38.0.172"}
Query DNS resolution for multiple domains
"adfluxi.com","gocellbel.com","curll.us" | ForEach-Object {
Resolve-DnsName $_ -ErrorAction SilentlyContinue
}
Check for suspicious processes (optional, if malware were involved)
Get-Process | Where-Object {$_.Path -match "Temp|AppData"}
What Undercode Say:
- Key Takeaway 1: The FIFA-themed phishing campaign represents a significant evolution in social engineering tactics, leveraging major global events to bypass traditional security awareness. The use of authentication-passing mailers and geo-cloaked redirectors demonstrates a high level of technical sophistication that challenges conventional email and web filtering solutions.
-
Key Takeaway 2: The primary objective of this campaign is not credential theft but direct financial data exfiltration, with stolen payment cards being the ultimate prize. This shifts the threat model from account takeover to immediate financial fraud, requiring organizations to implement stronger payment card security controls and real-time fraud monitoring.
Analysis:
The scale and sophistication of FIFA 2026-related cybercrime highlights a growing trend where threat actors align their operations with major global events to maximize victim exposure. The identification of over 4,000 fraudulent domains and a “phishing-as-a-service” market indicates that this is not an isolated operation but a well-organized criminal ecosystem. Organizations must adopt a proactive threat intelligence approach, continuously updating their IOCs and implementing layered defenses that include email authentication, DNS filtering, geo-cloaking detection, and user education.
The geo-cloaking technique employed in this campaign is particularly concerning as it allows attackers to evade automated detection systems. Security vendors and enterprises must develop more sophisticated scanning capabilities that test URLs from multiple geographic locations to uncover these evasive tactics. Additionally, the use of CPA affiliate networks to monetize the operation suggests that cybercriminals are leveraging legitimate marketing infrastructure to scale their attacks.
Prediction:
- +1 The increased awareness and intelligence sharing around FIFA 2026 scams will lead to improved detection capabilities and faster takedown of fraudulent domains, potentially reducing the overall success rate of these campaigns.
-
-1 As defenses improve, threat actors will likely adopt more sophisticated evasion techniques, including AI-generated phishing content and dynamic domain generation algorithms, making detection even more challenging.
-
-1 The success of this campaign will likely inspire copycat operations targeting other major sporting events, including the 2028 Olympics and future World Cups, expanding the attack surface to new global audiences.
-
+1 Law enforcement agencies and cybersecurity firms are increasingly collaborating to disrupt these operations, as evidenced by the identification of 15 active cybercriminal operators and 40 fake ticketing websites in recent investigations.
-
-1 The monetization of stolen payment card data through carding markets and fraudulent transactions will continue to fuel this criminal ecosystem, with stolen credentials being resold and used for secondary fraud schemes.
-
+1 Improved email authentication standards and the adoption of BIMI (Brand Indicators for Message Identification) could help reduce the effectiveness of authentication-passing mailers used in these campaigns.
-
-1 The use of legitimate cloud storage services like Google Cloud Storage for hosting redirector stubs will continue to complicate takedown efforts, as these platforms are not easily blocked without impacting legitimate services.
-
+1 User awareness campaigns specifically tailored to major events like the World Cup can significantly reduce the number of victims, as educated users are less likely to fall for “reward” and “survey” lures.
-
-1 The global nature of the FIFA World Cup means that victims span multiple jurisdictions, complicating law enforcement response and allowing cybercriminals to operate across borders with relative impunity.
-
+1 The development of AI-powered phishing detection systems that can analyze email content, sender reputation, and URL behavior in real-time will provide a critical defense layer against these evolving threats.
▶️ Related Video (76% Match):
https://www.youtube.com/watch?v=-cw8S4KkZEE
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Phishing Share – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


