FIFA-Themed Email Scam for Credit Card Theft

    Date: 07/01/2026

    Severity: High

    Summary

    A scam campaign is using 2026 FIFA World Cup "Champion Reward" survey lures to steal PII and payment card details. The phishing emails are sent from `adfluxi[.]com`, pass authentication, and have no official affiliation with FIFA. Malicious URLs detect sandboxes and non-US visitors, actively redirecting them to harmless decoy sites. Real US visitors are routed to fake "reward" pages that harvest full payment card details (PAN/CVV/expiry). Stolen data is exfiltrated to `hxxps[:]//gocellbel[.]com/api/orders` and monetized via affiliate ID 1189. The campaign involves no malware or password phishing, focusing solely on identity and card theft.

    Indicators of Compromise (IOC) List 

    Domains/URLs

    adfluxi.com

    c7wbclk.com

    curatedfindscorner.com

    curll.eu

    curll.us

    gocellbel.com

    insighthepanel.com

    lokupatthstrs.com

    mail-n6b-at8.adfluxi.com

    opinioncashzone.com

    surveysreswards.com

    tryomnitecc.com

    https://storage.googleapis.com/id-us/index.html

    https://storage.googleapis.com/id-eu/

    https://gocellbel.com/api/orders

    https://c7wbclk.com/?nid=2106

    IP Address 

    20.38.0.172

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "mail-n6b-at8.adfluxi.com" or url like "mail-n6b-at8.adfluxi.com" or siteurl like "mail-n6b-at8.adfluxi.com" or domainname like "https://storage.googleapis.com/id-us/index.html" or url like "https://storage.googleapis.com/id-us/index.html" or siteurl like "https://storage.googleapis.com/id-us/index.html" or domainname like "surveysreswards.com" or url like "surveysreswards.com" or siteurl like "surveysreswards.com" or domainname like "adfluxi.com" or url like "adfluxi.com" or siteurl like "adfluxi.com" or domainname like "curll.us" or url like "curll.us" or siteurl like "curll.us" or domainname like "opinioncashzone.com" or url like "opinioncashzone.com" or siteurl like "opinioncashzone.com" or domainname like "curll.eu" or url like "curll.eu" or siteurl like "curll.eu" or domainname like "c7wbclk.com" or url like "c7wbclk.com" or siteurl like "c7wbclk.com" or domainname like "curatedfindscorner.com" or url like "curatedfindscorner.com" or siteurl like "curatedfindscorner.com" or domainname like "https://c7wbclk.com/?nid=2106" or url like "https://c7wbclk.com/?nid=2106" or siteurl like "https://c7wbclk.com/?nid=2106" or domainname like "https://storage.googleapis.com/id-eu/" or url like "https://storage.googleapis.com/id-eu/" or siteurl like "https://storage.googleapis.com/id-eu/" or domainname like "insighthepanel.com" or url like "insighthepanel.com" or siteurl like "insighthepanel.com" or domainname like "lokupatthstrs.com" or url like "lokupatthstrs.com" or siteurl like "lokupatthstrs.com" or domainname like "https://gocellbel.com/api/orders" or url like "https://gocellbel.com/api/orders" or siteurl like "https://gocellbel.com/api/orders" or domainname like "gocellbel.com" or url like "gocellbel.com" or siteurl like "gocellbel.com" or domainname like "tryomnitecc.com" or url like "tryomnitecc.com" or siteurl like "tryomnitecc.com"

    Detection Query 2 :

    dstipaddress IN ("20.38.0.172") or srcipaddress IN ("20.38.0.172")

    Reference:    

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-06-29-FIFA-themed-email-scam-for-credit-card-theft.txt  


    Tags

    MalwarePhishingFIFAUnited StatesExfiltrationFinancial ServicesInfostealer

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags