Following the kick-off of the UEFA EUROs 2024 in Germany, Egress’ Threat Intelligence team has observed a massive spike in Euros-related phishing attacks, recording 7,000 unique campaigns with over 24,000 individual attacks since June 17th, 2024.
These attacks are more sophisticated than you might expect, with many attackers choosing to impersonate businesses associated with the tournament rather than impersonating UEFA directly. Consequently, a significant portion of these attacks target transportation, accommodation, and gambling businesses linked to the Euros.
Booking.com was the most impersonated brand, closely followed by German airline, Lufthansa, and Uber.
Quick attack summary
- Vector and type: Email phishing
- Techniques: Brand impersonation
- Payload: Phishing link to ‘lookalike’ phishing website
- Targets: Organizations in the UK and Europe
- Platform: Microsoft 365
Leveraging techniques like typosquatting and obfuscation, attackers are launching EUROs-themed attacks impersonating prominent travel, accommodation, and gambling companies linked to the tournament. One notable example is Booking.com, the official accommodation partner of the UEFA EUROs 2024.
The top three impersonated brands:
- Booking.com
- Lufthansa (a German airline)
- Uber
Other impersonated brands include:
- Trainline
- Eurostar
- Tripadvisor
- Hotels.com
- Marriott.com
Attackers are using lookalike email domains, such as Eurostɑr[.]com, utilizing typosquatting techniques to alter characters in the domain to appear valid and pass authentication checks. Our Threat Intelligence team has also noticed spoofed email domains, which are identical to legitimate ones but cannot be registered and therefore fail common authentication checks.
All the attacks are link-based credential harvesting schemes, often using obfuscation techniques such as URL shorteners to mask the destination and bypass link-scanning solutions. Most of the malicious URLs are domains hosted on Cloudflare, one of the biggest networks on the internet.
What the attacks look like
Step 1 – The initial phishing email
In the first example analyzed below, the attacker has sent a phishing email impersonating Booking.com, the official accommodation partner of the UEFA EUROs 2024. They have used a highly stylized template mimicking Booking.com’s branding so closely that our Threat Intelligence team suspects they have taken a screenshot of Booking.com’s website and added the EURO-related elements.
The attacker has also sent the phishing email from a ‘lookalike’ email domain, using Booking.com’s well-known slogan (“booking-dot-yeah") to make the attack more convincing. As this is a lookalike rather than a direct spoof, the email is likely to pass traditional authentication checks on delivery.
In this example, the entire email is made up of one image which limits linguistic analysis to the subject line and display name - both of which do not appear overly suspicious. The payload is the shortened link attached to the image, which then directs the recipient to the malicious Cloudflare hosted site.
Screenshot of phishing attack impersonating Booking.com, with Egress Defend anti-phishing banners applied.
In the second example, the phishing attack impersonates Trainline, a well-known transportation company. Once again, the attacker has closely copied Trainline’s branding and tone to lower suspicion. Our Threat Intelligence team suspects that the attacker has downloaded a legitimate email from the company and changed certain elements to match the EUROs theme.
Again, as this is a ‘lookalike’ email domain rather than a direct spoof, the email has passed basic authentication checks. In addition, the subject line ("Getting you to the euros on a budget") employs social engineering tactics to entice recipients with the potential promise of saving money if they book through the provided link. The failure to capitalize "EUROs" in the subject line is a slight giveaway that the email is malicious. However, since Trainline often sends informal subject lines in their customer communications, this mistake could be easily overlooked.
The 'Book Now' button uses a shortened link to direct the recipient to a malicious site hosted on Cloudflare. However, all other links in the email, such as the social media buttons in the footer, are legitimate and lead to Trainline's actual pages, increasing the email's legitimacy and lowering recipient suspicion.
Screenshot of phishing attack impersonating Trainline, with Egress Defend anti-phishing banners applied.
Step 2 – The ‘Lookalike’ phishing websites
The second step of this multi-stage attack leads recipients to a malicious site hosted on Cloudflare, hoping they will input their credentials or financial details. With over 7,000 unique campaigns, this step has varied significantly, with some malicious sites impersonating brands like Booking.com, well-known gambling companies, and other accommodation and travel pages.
In the first example below, however, the link directs the recipient to a convincing impersonation of a Microsoft login page. Although this seems unrelated to the initial phishing emails, our Threat Intelligence team suspects the hope is that, if the email is opened on a business device, the recipient will think this is a re-authentication process and input their credentials to proceed.
As a result, the attacker can use the credentials to compromise the individual's business email and potentially other accounts if the password is reused. They may then move laterally across that individual's organization using this account as a foothold.
Screenshot of a malicious website used for credential harvesting, impersonating a Microsoft log in page.
The second example of a malicious site is a gambling page, originating from an initial phishing email promoting bets on EUROs games. Recipients are encouraged to create an account, providing an opportunity for credential harvesting. Additionally, given the nature of gambling, the attacker may hope for the recipient to deposit money or input their financial information, enabling them to defraud the individual.
Screenshot of a malicious website used to harvest credentials and financial detail, posing as a gambling page.
Egress analysis
Using legitimate tools for illicit gains
In these campaigns, attackers have employed a couple of legitimate business tools to enhance the credibility of their attacks.
The first are URL shortening websites such as bit.ly, usually used to condense long links for business purposes. In this circumstance attackers have used them to obfuscate malicious links, making them difficult for link scanning technologies to read. Less advanced security solutions may accept the shortened link as safe, overlooking its malicious intent. More advanced tools, however, can recognize the presence of these redirects as suspicious activity.
The second legitimate tool is Cloudflare, one of the biggest and well-known networks on the internet. Our Threat Intelligence team suspect attackers have used this platform to host malicious URLs for several reasons:
- It is free, accessible, and easy to use.
- It has a good reputation, so any associated links will appear less suspicious. This also means security teams can’t block all domains that come from Cloudflare as many may be used for legitimate purposes.
- There is a polymorphic element to Cloudflare – it can quickly randomize new domains, so if one domain gets put on a blocklist, Cloudflare can quickly produce another.
- Cloudflare incorporates captchas into their service to prevent automated bots from clicking on links. These captchas effectively block link scanning technologies, rendering them ineffective. Since many secure email gateway (SEG) solutions rely solely on link scanning, they may fail to flag such links as malicious.
Quantity over quality- attacks en masse
These attacks, though not the most sophisticated in design, capitalize on sheer volume to increase their chances of success. By inundating inboxes, attackers aim to exploit even a small percentage of recipients who may engage whilst creating an administrative burden for security teams who must remediate each attack.
The strategy hinges on the ripple effect of a single successful breach: once an individual falls victim and their credentials are compromised, attackers can move laterally within an organization.
Social engineering techniques
The campaigns also employ social engineering tactics to exploit the allure of a major event like the UEFA EUROs 2024. By crafting convincing narratives such as enticing offers related to travel accommodations, budget deals, or exclusive ticket competitions, attackers manipulate recipients' urgency and FOMO.
They capitalize on the excitement and heightened interest around football events, appealing to the stereotypical mentality of those eager to secure the best deals or participate in gambling activities tied to game outcomes. These tactics not only exploit the event's popularity but also human emotions and behaviors to maximize their impact and success rates.
Identifying advanced phishing threats
The surge in phishing attacks linked to the UEFA EUROs 2024 serves as a stark reminder of the pervasive threat posed by social engineering tactics in the digital age. By exploiting the collective enthusiasm and trust surrounding a high-profile event and reputable brands, cybercriminals demonstrate a sophisticated understanding of human psychology and behavior, even if the attacks themselves aren’t so advanced.
As attackers attempt to capitalize on the EUROs through budgets, competitions and deals, the adage "if it's too good to be true, it probably is" rings truer than ever. Staying informed, verifying sources, and exercising caution can greatly mitigate the risk of falling victim to such attacks.
Ultimately, identification and prevention of this type of advanced threat requires a combination of tailored coaching and an intelligent anti-phishing technology that does not rely on any singular detection mechanism like link scanning alone. Egress Defend takes a holistic approach to detection, using AI and a zero-trust approach to detect and neutralize emerging threats like impersonation and zero-day attacks.