IPL Cricket Season Becomes Hunting Ground: Cloned Ticketing Sites and macOS Infostealers Target Fans

As the Indian Premier League draws millions of viewers online, cybercriminals have launched a coordinated surge in IPL-themed fraud, exploiting fan excitement through two distinct threat vectors: counterfeit ticketing platforms and malware-laden free streaming sites. CloudSEK researchers have documented how threat actors weaponize urgency and FOMO, targeting victims via cloned interfaces of legitimate services and socially engineered payment flows.

The counterfeit ticketing operation centers on fraudulent pages that replicate the look of BookMyShow, propagated through SEO poisoning and paid Meta advertisements. These sites integrate genuine analytics tools, including Meta Pixel tracking, to measure and optimize victim conversion rates in real time. Admin panels embedded in the infrastructure allow fraud operators to manage lures dynamically, while payment requests routed through UPI channels complete the financial theft. On the streaming side, attackers deploy OS-aware redirects that detect a user's operating system and deliver tailored payloads. macOS visitors are routed through ClickFix-style social engineering prompts that deliver SHub Stealer, a credential-harvesting malware capable of system fingerprinting and geofencing to evade sandbox analysis.

The dual-track approach reflects a mature cybercrime ecosystem tuned to the tournament calendar. Technical controls embedded in the malware — including geofencing checks — suggest deliberate targeting beyond casual opportunistic attacks. The use of legitimate analytics infrastructure and automated admin tooling lowers the barrier for operation scaling. For organizations with employees who follow IPL coverage on work devices, the convergence of brand impersonation, social engineering, and native-platform malware presents a compound risk that conventional perimeter defenses may not fully address.