Date: 07/01/2026
Severity: High
Summary
A scam campaign is using 2026 FIFA World Cup "Champion Reward" survey lures to steal PII and payment card details. The phishing emails are sent from `adfluxi[.]com`, pass authentication, and have no official affiliation with FIFA. Malicious URLs detect sandboxes and non-US visitors, actively redirecting them to harmless decoy sites. Real US visitors are routed to fake "reward" pages that harvest full payment card details (PAN/CVV/expiry). Stolen data is exfiltrated to `hxxps[:]//gocellbel[.]com/api/orders` and monetized via affiliate ID 1189. The campaign involves no malware or password phishing, focusing solely on identity and card theft.
Indicators of Compromise (IOC) List
Domains/URLs | adfluxi.com c7wbclk.com curatedfindscorner.com curll.eu curll.us gocellbel.com insighthepanel.com lokupatthstrs.com mail-n6b-at8.adfluxi.com opinioncashzone.com surveysreswards.com tryomnitecc.com https://storage.googleapis.com/id-us/index.html https://storage.googleapis.com/id-eu/ https://gocellbel.com/api/orders https://c7wbclk.com/?nid=2106 |
IP Address | 20.38.0.172 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "mail-n6b-at8.adfluxi.com" or url like "mail-n6b-at8.adfluxi.com" or siteurl like "mail-n6b-at8.adfluxi.com" or domainname like "https://storage.googleapis.com/id-us/index.html" or url like "https://storage.googleapis.com/id-us/index.html" or siteurl like "https://storage.googleapis.com/id-us/index.html" or domainname like "surveysreswards.com" or url like "surveysreswards.com" or siteurl like "surveysreswards.com" or domainname like "adfluxi.com" or url like "adfluxi.com" or siteurl like "adfluxi.com" or domainname like "curll.us" or url like "curll.us" or siteurl like "curll.us" or domainname like "opinioncashzone.com" or url like "opinioncashzone.com" or siteurl like "opinioncashzone.com" or domainname like "curll.eu" or url like "curll.eu" or siteurl like "curll.eu" or domainname like "c7wbclk.com" or url like "c7wbclk.com" or siteurl like "c7wbclk.com" or domainname like "curatedfindscorner.com" or url like "curatedfindscorner.com" or siteurl like "curatedfindscorner.com" or domainname like "https://c7wbclk.com/?nid=2106" or url like "https://c7wbclk.com/?nid=2106" or siteurl like "https://c7wbclk.com/?nid=2106" or domainname like "https://storage.googleapis.com/id-eu/" or url like "https://storage.googleapis.com/id-eu/" or siteurl like "https://storage.googleapis.com/id-eu/" or domainname like "insighthepanel.com" or url like "insighthepanel.com" or siteurl like "insighthepanel.com" or domainname like "lokupatthstrs.com" or url like "lokupatthstrs.com" or siteurl like "lokupatthstrs.com" or domainname like "https://gocellbel.com/api/orders" or url like "https://gocellbel.com/api/orders" or siteurl like "https://gocellbel.com/api/orders" or domainname like "gocellbel.com" or url like "gocellbel.com" or siteurl like "gocellbel.com" or domainname like "tryomnitecc.com" or url like "tryomnitecc.com" or siteurl like "tryomnitecc.com" |
Detection Query 2 : | dstipaddress IN ("20.38.0.172") or srcipaddress IN ("20.38.0.172") |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-06-29-FIFA-themed-email-scam-for-credit-card-theft.txt