Unauthorized Access to FIFA World Cup Via Hayya Cards
December 14, 2022
Hayya Cards are issued to match goers at the World Cup held in Qatar to avail multiple facilities
A threat actor has shared an unverified tutorial on how the registration process of Hayya Cards could be misused using fraudulent information.
Individuals without authorized FIFA match tickets can abuse the Hayaa Card to obtain the benefits associated with it.
Bruteforcing attempts to input invalid ticket numbers enabling card registration
Stringent verification practices to prevent match ticket number bruteforcing from the same IP/browser during the registration process.
Monitor cybercrime forums for the latest tactics employed by threat actors.
Analysis and Attribution
Information from the Post
CloudSEK’s contextual AI digital risk platform XVigil has spotted an advertisement where a short tutorial is provided on how the Hayya Card registration facility could be misused by threat actors to create multiple copies of the card.
These cards are exclusively meant for International fans visiting Qatar for the World Cup.
A Hayya Card can assist the World Cup match goers, in the following ways:-
Entry permit to Qatar
Free Metro Access
Free Bus Access
Access to Fan Events
Access to Discounts
Free SIM Card
The Hayya Card is a facility for all International citizens visiting Qatar on the onset of the upcoming World Cup. The card is designed to make the overall experience smooth by enabling it’s registration on the domain – https//hayya[.]qatar2022[.]qa/
This tutorial was posted to the ‘Doxxing Tutorials’ section of the English speaking cybercrime forum where the contents of the post is revealed to those who comment on it.
Registration Process of the Hayya Card
The official YouTube channel for the FIFA World Cup Qatar goes under the name of ‘Qatar2022’ – with 305K subscribers. The channel has posted two video demonstrations on how an international fan visiting Qatar, for the World Cup can register for the Hayaa Card on the portal – https//hayya[.]qatar2022[.]qa/
The card registrant should enter the following PII details, in order to avail the card:-
Match Ticket type
Ticket Application Number
Date of Birth
Misusing the Ticket number to issue multiple digital Hayaa Cards
According to the threat actor, the match ticket number follows a notation of having it’s first 3 digits as 300 followed by 4 random digits. This claim can be assessed with low confidence.
By spamming numbers in the mentioned format, there is a risk of multiple Hayaa cards being generated in a fraudulent manner.
Threat Actor Activity and Rating
Threat Actor Profiling
Low (Multiple complaints and concerns on the forum)