FortiGuard Labs Threat Research
The internet is a great source for information and entertainment. But it is also rife with fraud schemes, scams, misinformation, and other tactics to exploit your personal and financial data. Cybercriminals often focus on high-profile global events to find target victims in hopes of stealing their financial data.
These criminals target viewers using a variety of strategies. Take for instance the current Rugby World Cup event currently being held in Japan. Many fans can't make it over to Asia, so they turn to free streaming services or download sports applications to keep them up-to-date on their favorite team. Unfortunately, free is sometimes too good to be true!
While exploring our FortiGuard Labs domains data feed, we found a suspicious site (rugbyworldcup[.]xyz) that did indeed advertise free live streaming of the World Cup. Following the website links ultimately directed us to a potential scam site asking for credit card information. What was supposed to be free, was not free any longer.
However, during our investigation of rugbyworldcup[.]xyz, we also visited one of its dynamic redirectors, sports99[.]club, and discovered more so-called free services for such things as free movies, music, and e-books.
We then employed our proprietary sequential log analysis on telemetry data and found a few more of these “free” services. And when we tested them, we learned that they all share a common scheme:
Here are a few of the suspicious sites we uncovered during our investigation.
alllivesport[.]com
(Advertising sites)
=> (Affiliate Redirector)
=> (Potential Scam Landing Page, Create a free account with fake info)
=> (Shares newly entered user info with fastplayz[.]com)
Note: The URL info parameter contains my entered email address and password encoded in Base64.
Base 64 Decoded produces: {"username":"test@hotmail[.]com","password":"IamAPassword"}
=> (Credit Card Validation Page)
Suspicious Sports Advertiser 2:
live-sport-streams[.]com
This one is very similar to alllivesport[.]com.
(Advertising sites)
=> (Dynamic Redirector1)
OR
=> (Dynamic Redirector2)
=> (Potential Scam Landing Page, Create a free account with email address and password)
=> (Shares newly entered user info with gamepopz[.]com)
Note: The URL info parameter contains my entered email address and password encoded in Base64.
Base 64 Decoded produces: {"username":"test@hotmail[.]com","password":"IamAPassword"}
=> (Credit Card Validation Page)
Suspicious Ebook Advertiser: best-online-books[.]com
This one shares the newly created account information in plain text with other sites.
(Advertising site)
hxxps://get-ebooks[.]club/book/3.Harry_Potter_and_the_Sorcerer_s_Stone
=> (Affiliate Redirectors) not listed for brevity
=> (Potential Scam Landing Page, Create a free account with fake info)
=> (Shares newly entered user info with others in plain text)
=> (Credit Card Validation Page)
OR
Note how similar looking both websites are.
Reviews By Victims:
hxxps://www.scamadviser[.]com/check-website/viewhall[.]com
hxxps://www.scamadviser[.]com/check-website/vibeall[.]com
Some landing pages appear to share a common FREE Account template, which indicates they are related and possibly owned by the same actor group.
Landing page of alllivesport[.]com
Landing Page of movie-streams-online[.]com
hxxp://ebook0919a2b[.]club/
hxxp://epicofebook[.]com/
hxxps://spinbook[.]net/
hxxps://mediabks[.]com/
hxxps://www.nwcbooks[.]com/
hxxp://find-files[.]com/
hxxps://just-watch-it[.]com/
hxxps://allsports4free[.]live/
hxxps://rugbyworldcup[.]xyz/
hxxps://2019rugbyworldcup[.]online/
hxxp://rugbychampionship2019[.]info/live/
Free Streaming Landing Pages
hxxps://movie-streams-online[.]com/
hxxps://live-sport-streams[.]com/
hxxps://allsports4free[.]live/
hxxps://coreplays[.]com/
hxxps://best-online-books[.]com/
hxxps://vibeall[.]com/
hxxp://ebook0919a2b[.]club/
Dynamic Redirector Domains
74lhpp2gt696[.]com
97oxono2oszo[.]com
a1qrfcnpvgbonol[.]com
ahf8n[.]com
book88c[.]club
cbegnypbairlnaprvv[.]com
checkebooks[.]download
crsrva24yz9s0[.]com
d10e2mfu67ch[.]com
dl11a[.]club
downloadplayer[.]xyz
ebooksonline[.]site
eecain7y[.]com
eecain7z[.]com
get-movies[.]club
get-sports[.]club
good-read[.]club
ing6liey[.]com
live-sports[.]me
mlb-streams[.]club
movie-plex[.]club
moviesfree[.]site
ms3t[.]club
nagubalnqfvi[.]com
ohmoo7ie[.]com
qnirnqfvi[.]com
qnirqryvirelv[.]com
recommendedforyou[.]xyz
rei6ohka[.]com
secure2t5z3[.]com
seyai0ui[.]com
shil8[.]com
soccer-streams[.]club
sports99[.]club
streamsportslive[.]online
taew5[.]com
ue3zaini[.]com
vod78d[.]club
wnzvrqryvirelv[.]com
xl415[.]com
xmediaserve[.]com
xoyoun5j8yzi[.]com
yxyug24kwhqe[.]com
zeezi4ei[.]com
hxxp://74lhpp2gt696[.]com/tuname.php
hxxp://97oxono2oszo[.]com/tuname.php
hxxp://a1qrfcnpvgbonol[.]com/tuname.php
hxxp://ahf8n[.]com/tuname.php
hxxp://cbegnypbairlnaprvv[.]com/tuname.php
hxxp://checkebooks[.]download/tuname.php
hxxp://d10e2mfu67ch[.]com/tuname.php
hxxp://eaudio.checkebooks[.]download/tuname.php
hxxp://ebooks.checkebooks[.]download/tuname.php
hxxp://eecain7y[.]com/tuname.php
hxxp://eecain7z[.]com/tuname.php
hxxp://epdf.checkebooks[.]download/tuname.php
hxxp://epud.checkebooks[.]download/tuname.php
hxxp://eread.checkebooks[.]download/tuname.php
hxxp://fb[.]downloadplayer[.]xyz/tuname.php
hxxp://ing6liey[.]com/tuname.php
hxxp://nagubalnqfvi[.]com/tuname.php
hxxp://ohmoo7ie[.]com/tuname.php
hxxp://qnirnqfvi[.]com/tuname.php
hxxp://qnirqryvirelv[.]com/tuname.php
hxxp://rei6ohka[.]com/tuname.php
hxxp://secure2t5z3[.]com/tuname.php
hxxp://seyai0ui[.]com/tuname.php
hxxp://shil8[.]com/tuname.php
hxxp://sports99[.]club/tuname.php
hxxp://taew5[.]com/tuname.php
hxxp://ue3zaini[.]com/tuname.php
hxxp://vod78d[.]club/tuname.php
hxxp://wnzvrqryvirelv[.]com/tuname.php
hxxp://www.xl415[.]com/tuname.php
hxxp://www.xoyoun5j8yzi[.]com/tuname.php
hxxp://www1.xmediaserve[.]com/tuname.php
hxxp://xoyoun5j8yzi[.]com/tuname.php
hxxp://yxyug24kwhqe[.]com/tuname.php
hxxp://zeezi4ei[.]com/tuname.php
hxxp://book88c[.]club/tuname.php
hxxp://crsrva24yz9s0[.]com/tuname.php
hxxp://dl11a[.]club/tuname.php
hxxp://ebooksonline[.]site/tuname.php
hxxp://eecain7z[.]com/tuname.php
hxxp://fb.get-movies[.]club/tuname.php
hxxp://fb.get-sports[.]club/tuname.php
hxxp://fb.good-read[.]club/tuname.php
hxxp://fb[.]live-sports[.]me/tuname.php
hxxp://fb.mlb-streams[.]club/tuname.php
hxxp://fb.movie-plex[.]club/tuname.php
hxxp://fb.recommendedforyou[.]xyz/tuname.php
hxxp://fb.soccer-streams[.]club/tuname.php
hxxp://moviesfree[.]site/tuname.php
hxxp://ms3t[.]club/tuname.php
hxxp://rei6ohka[.]com/tuname.php
hxxp://seyai0ui[.]com/tuname.php
hxxp://shil8[.]com/tuname.php
hxxp://sports99[.]club/tuname.php
hxxp://streamsportslive[.]online/tuname.php
hxxp://taew5[.]com/tuname.php
hxxp://ue3zaini[.]com/tuname.php
hxxp://vod78d[.]club/tuname.php
hxxp://wnzvrqryvirelv[.]com/tuname.php
hxxp://zeezi4ei[.]com/tuname.php
168.88.170.2
172.217.28.108
172.31.53.140
172.96.187.211
179.43.176.163
198.19.97.17
209.85.202.211
209.99.40.222
209.99.40.223
216.58.223.236
37.1.202.16
37.1.223.152
62.217.251.222
67.227.226.240
78.140.181.169
78.140.181.183
78.140.181.188
78.140.190.230
As you can see, the lesson here is to be cautious of any free streaming website, it might be more than it seems. Doing an internet search using ‘free streaming sites for rugby world cup’ elicited 110 million webpages. Many of these sites are suspicious and likely contain malware. Our advice is that if you must watch sports online, it is best that you purchase from a legitimate streaming service.
Learn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Sign up for our weekly FortiGuard Threat Brief.
Read about the FortiGuard Security Rating Service, which provides security audits and best practices.