IPL Ticket Scammers Use Fake Portals & Malware to Target Fans Globally
Sophisticated Cybercrime Network Exploits Indian Premier League Ticketing Frenzy
A sophisticated cybercrime network has been uncovered, exploiting the Indian Premier League (IPL) ticketing frenzy to swindle fans out of their money.
The scam relied on well-designed phishing portals, mirroring legitimate ticketing platforms such as BookMyShow and District by Zomato, to create a convincing user experience. Victims were lured to these sites through paid advertisements on Google, social media posts, and Telegram channels, while the fake domains were optimized to rank highly in search results, increasing the likelihood of unsuspecting fans clicking on them.
- Victims were presented with a seamless booking process, complete with payment gateways, automated ticket generation systems, and fabricated customer testimonials.
- The scheme’s success lay in its ability to only reveal its true nature when victims attempted to use their purchased tickets at the stadium gates, often mere hours before the match, when genuine tickets had already sold out.
The scam’s organizers exploited the emotional vulnerability of fans desperate for last-minute access, creating a sense of urgency and fear of missing out. Furthermore, researchers discovered that many of these fake streaming sites were also used to distribute malware, specifically the SHub Stealer infostealer, which targeted both Windows and macOS devices.
- This malicious software harvested browser credentials, payment details, Apple Keychain data, Telegram sessions, cryptocurrency wallet credentials, and system information from compromised devices.
- The macOS targeting received particular attention, with some sites using browser detection scripts to identify operating systems before delivering device-specific malicious pages, including fake Apple security update prompts or GitHub installer pages.
Researchers also gained access to the admin panel of one fake ticketing operation, revealing backend systems designed to track victim data, manage payment processing, and automate fraud workflows. This industrial-scale digital fraud utilized the same infrastructure, search techniques, and interface design principles commonly seen in legitimate online commerce.
The findings highlighted the intersection of two major cybercrime activities: the IPL-linked scams and a separate incident involving the Incransom ransomware group, which claimed responsibility for breaching Silergy Corp and stealing over 450GB of sensitive data, including financial documents, passports, NDAs, and customer information. The overlap demonstrated how modern cybercrime ecosystems can operate multiple attack surfaces simultaneously, with one operation targeting mass consumer behavior and another focusing on high-value corporate data.
Ultimately, protection against such threats requires a combination of technical defenses and behavioral caution, emphasizing the importance of vigilance and awareness in preventing cybercrime.