The FBI published a warning last week. Threat actors have registered more than 498 fake domains tied to the 2026 FIFA World Cup. Fake ticket sites. Fake job listings. Fake merchandise stores. All live in DNS right now.
Every one of those domains is catchable. Not after victims report fraud. Before anyone gets hurt.
That is what DNS Spy’s Phishing Sentinel is built to do. It monitors for look-alike domains targeting your brand — domains registered to impersonate you, confuse your customers, and run attacks under your name.
This post walks through what those 498 domains look like at the DNS level, which attack techniques they use, and how Phishing Sentinel detects them.
What the FBI Actually Found
PSA I-052726-PSA, published May 27, 2026, documents a coordinated campaign targeting FIFA World Cup fans. Threat actors registered hundreds of fake domains designed to impersonate official FIFA infrastructure and fan-facing services.
Examples from the advisory include:
worldcup26ticket[.]com
wvvw-fifa[.]com (double-v in place of w)
fifa[.]pink and fifa[.]ceo
jobs-fifa[.]com and fifa-careerhub[.]com
These are not random. Each one uses a specific technique to get as close as possible to a legitimate-looking domain. Some swap characters. Some use new TLDs. Some add words around the brand name. All of them are designed to pass a quick visual check.
The FBI says volume will keep climbing as the tournament gets closer. These 498 are a floor, not a ceiling.
These Are Exactly the Attacks Phishing Sentinel Is Built to Catch
Phishing Sentinel is DNS Spy’s look-alike domain detection feature. It generates thousands of permutations of your domain name, checks which ones are actively registered with real DNS infrastructure, scores them by threat level, and alerts you when new ones appear.
Look at the FIFA examples again through that lens.
TLD Swap: fifa[.]pink, fifa[.]ceo
This is one of the simplest techniques. Take the real domain (fifa.com), keep the name exactly, change the TLD. Phishing Sentinel checks your brand name across hundreds of TLDs automatically. fifa.pink, fifa.shop, fifa.ceo — all of these are generated and checked as part of a standard scan.
Replacement: wvvw-fifa[.]com
The double-v trick substitutes two v characters for a single w. It is hard to see at a glance, especially in certain fonts or on mobile. Phishing Sentinel’s replacement detection covers character-level substitutions including v/w swaps, 1/l swaps, rn/m swaps, and similar near-misses.
Dictionary + Hyphenation: worldcup26ticket[.]com, jobs-fifa[.]com
These domains combine the brand name with common words — worldcup, jobs, tickets, careerhub. Phishing Sentinel’s dictionary technique appends and prepends common words to your domain and checks for active registrations. The hyphenation technique inserts hyphens at various positions. Both fire on this category of domain.
Homograph / IDN attacks
Not in the FBI examples, but worth understanding. Homograph attacks replace Latin characters with visually identical characters from other alphabets: a Cyrillic "а" for a Latin "a", a Greek "ο" for a Latin "o". The domain looks identical to the real one. Phishing Sentinel flags these as critical-severity threats, because they are nearly impossible to detect without tooling.
How Phishing Sentinel Works
The process runs in four steps.
1. Generate permutations
Phishing Sentinel uses dnstwist to generate thousands of domain variants using 17+ techniques. For a domain like dnsspy.io, that means checking dnssspy.io (repetition), dnsspy.com (TLD swap), dns-spy.io (hyphenation), dnasspy.io (insertion), and hundreds more.
2. Check registration
Each variant is checked for active registration and DNS resolution. Phishing Sentinel only surfaces domains that are actually registered and have live infrastructure — not theoretical possibilities. If a domain resolved, someone paid to register it and pointed it somewhere. That is signal.
3. Score and analyze
Every discovered domain gets a threat score from 0 to 100. The score is based on two factors: the attack technique (homograph attacks score higher than simple TLD swaps) and the infrastructure present (a domain with web hosting, MX records for sending email, and an SSL certificate scores near 100). High-threat variants surface first so you work the right list.
4. Monitor and alert
Phishing Sentinel does not just run once. It monitors continuously, catching new registrations, infrastructure changes, and domain reactivations over time. When a new look-alike domain appears or an existing one spins up hosting, you get an alert through whatever channels you have configured: email, Slack, Discord, or PagerDuty.
Why Infrastructure Scoring Matters
Not every look-alike domain is an active threat. Some are defensively registered by other companies. Some are parked with no content. Some are caught by registrars and never resolve.
The threat score tells you which ones to act on first.
A domain with web hosting, active MX records for sending email, and an SSL certificate scores near 100. That is a fully operational phishing site. It can send convincing emails from a domain that looks like yours, host a fake login page served over HTTPS with a padlock, and harvest credentials in real time.
A domain that is registered but has no hosting, no mail server, and no SSL scores much lower. It may still be worth monitoring, but it is not an immediate emergency.
Several of the FIFA domains in the FBI PSA would have scored high. worldcup26ticket[.]com, for example, was set up to run a fake storefront. That means web hosting and likely SSL. Phishing Sentinel would have flagged it as high-threat on discovery.
The PSA Is Always Late. Monitoring Is Not.
Here is the honest timeline of how threat intelligence PSAs work.
Someone gets hit. They report the fraud. Investigators trace the domain to an IP, a registrar, a pattern. Researchers aggregate enough cases to write a report. The PSA gets published.
That chain takes weeks. Sometimes months. Every day between when those domains went live and when the FBI published the PSA, victims were being hurt.
Phishing Sentinel watches continuously. When a new look-alike domain for your brand is registered, it shows up in your dashboard and triggers an alert. Not weeks later. As it happens.
For a brand with World Cup exposure right now, that gap is the difference between getting ahead of an attack and reading about it in a fraud report.
What to Do If Your Brand Has World Cup Exposure
If you are a sponsor, travel brand, ticketing reseller, or anyone with brand presence around the 2026 tournament, the threat window is open. Here is where to start.
Run a Phishing Sentinel scan on your domain
It takes two minutes to add a domain and run the first scan. You will see every registered look-alike with active infrastructure, sorted by threat score. You may be surprised how many are already out there.
Register the highest-risk variants yourself
Once you see your scan results, identify the highest-scoring variants and consider defensive registration. You will not get all of them, but taking the most convincing ones off the table matters.
Set up continuous monitoring
A one-time scan is a snapshot. Continuous monitoring is what catches the domains registered tomorrow, next week, and the week the tournament starts — which is when attack volume will peak. Phishing Sentinel monitors 24/7 and alerts when new variants appear.
Track infrastructure changes on known variants
A parked domain that spins up hosting and email is a domain that just became dangerous. Phishing Sentinel tracks infrastructure changes over time, so a low-scoring variant that suddenly becomes high-threat will resurface in your alerts.
The Bigger Point
498 fake FIFA domains is a large number. But it is not unusual. This scale of typosquatting happens before every major event, every product launch, every brand moment that puts a name in front of a large audience.
The FBI warning is useful. But it is reactive by nature. It arrives after damage is done.
Phishing Sentinel is proactive. It watches the domain namespace around your brand, scores what it finds by real threat level, and alerts you as new variants appear. You get the information when it can still help.
The 498 FIFA domains are a good illustration of why that matters. Every one of them maps to a technique Phishing Sentinel checks. Every one of them would have triggered an alert before a single victim clicked.
Phishing Sentinel is available on all DNS Spy plans. Start your free 7-day trial at dnsspy.io.
