The World Cup continues this week. But the attack infrastructure targeting fans was built last year.
More than 4,400 fake FIFA-related domains were registered between August 2025 and the start of the tournament — some even earlier. These included fake ticketing sites, and impersonation domains combining sponsor names with terms like "VIP," "resale," and "stream." Some are already being positioned for the 2030 and 2034 tournaments.
This is how modern phishing campaigns work: Attackers don't register a domain months in advance, let it age, accumulate SSL certificates, and build search credibility — then activate it when traffic is expected to be at its peak.
By the time a fake domain looks like a phishing site, it often already outranks the legitimate site it's impersonating.
Most domain protection programs are calibrated to detect abuse after it goes live, but that window is often already too late. Effective protection has to start at registration — monitoring newly registered lookalikes, clustering related infrastructure, and disrupting threats before content ever appears.
We wrote about what this looks like in practice, and what the World Cup registration data reveals about how attack infrastructure is built. Link in the comments.