🔴 The World Cup opens Thursday. 4,300 fraudulent FIFA sites are already live and targeting your clients

The tournament might not start until Thursday, but the scammers have been ready since August.

Group-IB has tracked over 4,300 fraudulent FIFA-related domains registered since August 2025. At the centre is a campaign called GHOST STADIUM, a Chinese-speaking criminal operation. It’s running 300+ pixel-perfect clones of the official FIFA portal, complete with fake single sign-on flows, in 11 languages. The FBI confirmed last week that hundreds of these sites are actively harvesting credentials and payment details from fans buying tickets, merchandise, and streaming packages. The Hacker News

The attack surface is enormous: FIFA said it received 150 million ticket requests in the first 15 days of sales (30 times oversubscribed) leaving millions of fans anxious, desperate, and clicking fast.

Your clients’ employees are football fans. Some of them are going to be searching for tickets, streams, and merchandise over the next seven weeks. How about sending a one paragraph warning email this week?

• Verify the URL

• Buy only from official sources

• Be extra careful when entering card details on a page you reached via a search ad

Have you seen any impact from this? Hit reply and let us know.

🟡 June Patch Tuesday is Wednesday. And it's probably bringing the Exchange Server zero-day fix we've been waiting for

Two things to know before Wednesday’s updates drop.

First: the Exchange Server zero-day CVE-2026-42897, the actively exploited cross-site scripting flaw, is expected to finally receive its permanent patch on Wednesday (although that hasn’t yet been confirmed). Microsoft has had a temporary EEMS mitigation in place since disclosure. Apply it across all on-prem Exchange estates as soon as it’s available. Help Net Security

Second: this is the last comfortable Patch Tuesday before the Secure Boot certificate deadline on June 26. Devices that receive Wednesday’s update are covered. Devices that miss it have no further comfortable window before the deadline. After June 26 unpatched devices enter a degraded security state. Windows Server does not auto-update this certificate. It requires manual deployment via Group Policy or WSUS. Check your Server estates today before Wednesday’s updates drop.

🟢 The IT support call that ended with tactical vehicles

The Register’s On Call column published last week with one of the best reader submissions in recent memory.

Solomon was working IT support for a Scottish courts organisation when he got an urgent callout. He arrived to find several police patrol cars. Then more arrived and the radio chatter intensified. Then two tactical vehicles came roaring around the corner.

There was a lot of shouting. Solomon’s exact thought at this point: “I need a bulletproof vest and a fully automatic rifle. I haven’t been to church for years.” The Register

About 20 minutes later, the officer in charge returned to Solomon and told him he wasn’t needed. “No computers here,” he said, adding the cryptic explanation: “Things moved faster than expected.”

Ok, that’s Monday done. It’s gonna be a busy week, we feel. Don’t you? We’ll be back in your inbox tomorrow morning.