FortiGuard Labs Threat Research
Free Rugby World Cup Streaming Service Can Be a Foul Play
The internet is a great source for information and entertainment. But it is also rife with fraud schemes, scams, misinformation, and other tactics to exploit your personal and financial data. Cybercriminals often focus on high-profile global events to find target victims in hopes of stealing their financial data.
These criminals target viewers using a variety of strategies. Take for instance the current Rugby World Cup event currently being held in Japan. Many fans can't make it over to Asia, so they turn to free streaming services or download sports applications to keep them up-to-date on their favorite team. Unfortunately, free is sometimes too good to be true!
While exploring our FortiGuard Labs domains data feed, we found a suspicious site (rugbyworldcup[.]xyz) that did indeed advertise free live streaming of the World Cup. Following the website links ultimately directed us to a potential scam site asking for credit card information. What was supposed to be free, was not free any longer.
However, during our investigation of rugbyworldcup[.]xyz, we also visited one of its dynamic redirectors, sports99[.]club, and discovered more so-called free services for such things as free movies, music, and e-books.
We then employed our proprietary sequential log analysis on telemetry data and found a few more of these “free” services. And when we tested them, we learned that they all share a common scheme:
- Advertising sites that promote free services
- Watch/Download Free Movies
- Download Free E-books
- Watch Live Sports Free
- Advertising sites that link to one or more affiliate networks and directs the user to the so-called free service site
- Free service sites (advertisers) ask users to create a free user account by providing an email address and password
- Free service sites share newly entered user info with one or more external sites (sometimes transmitted in plain text!) and then direct the user to the final account validation site
- The account validation site prompts the user to enter their credit card information to “validate” their account. The free account is not created until the user submits their credit card information
- User reviews online indicate fraud because they subsequently find unauthorized credit card charges from these so-called free service companies
Here are a few of the suspicious sites we uncovered during our investigation.
Suspicious Sports Advertiser 1:
alllivesport[.]com
(Advertising sites)
- hxxps://rugbyworldcup[.]xyz/#Rugby_World_Cup_2019_Teams
- hxxps://2019rugbyworldcup[.]online/
- hxxp://rugbychampionship2019[.]info/live/
=> (Affiliate Redirector)
- hxxp://www.affforce[.]com/scripts/un981c6l?a_aid=d022be2e&a_bid=70104349
=> (Potential Scam Landing Page, Create a free account with fake info)
- hxxps://alllivesport[.]com/sp2/?bg=rwc2019.jpg&a=2&clickid=5d850ce60a5df4000155f4b3&pubid=8922&q=WATCH%202019%20RUGBY%20WORLD%20CUP%20LIVE
=> (Shares newly entered user info with fastplayz[.]com)
- hxxps://fastplayz[.]com/registration?theme=allsports-direct&v_id=463adf18-fa93-4d81-fc8e-db1ab8337ec4&info=eyJ1c2VybmFtZSI6InRlc3RAaG90bWFpbC5jb20iLCJwYXNzd29yZCI6IklhbUFQYXNzd29yZCJ9%3D&a_aid=864kjuyuio54&page=allsports-direct&clickid=5d850ce60a5df4000155f4b3&pubid=8922
Note: The URL info parameter contains my entered email address and password encoded in Base64.
Base 64 Decoded produces: {"username":"test@hotmail[.]com","password":"IamAPassword"}
=> (Credit Card Validation Page)
- hxxps://fastplayz[.]com/subscriptions/checkoutaff/allsports-direct
Suspicious Sports Advertiser 2:
live-sport-streams[.]com
This one is very similar to alllivesport[.]com.
(Advertising sites)
- hxxps://rugbyworldcup[.]xyz/
- hxxps://www.rugbyworldcupjp[.]com/live/
=> (Dynamic Redirector1)
- hxxps://sports99[.]club/tuname.php?&d=1&z=31672&lpage=s-dual-rugby&c_bg=%2F%2Fimg.codes%2FuftjcYhic&c_img1=%2F%2Fimg.codes%2F4LmsIiQic&q=Rugby+World+Cup+Japan+2019+Live+Stream
OR
=> (Dynamic Redirector2)
- hxxps://www.affforce[.]com/scripts/un981c6l?a_aid=d022be2e&a_bid=d8ec0a95
=> (Potential Scam Landing Page, Create a free account with email address and password)
- hxxps://live-sport-streams[.]com/9375-5-d5cecf7a/signup-dual/rugby/#/z=47401/dp=3479603723.537103.287de6b56d.31672.5a7af23a64dbdb158e830c9b8a56e98f/c_bg=%2F%2Fimg.codes%2FuftjcYhic/c_img1=%2F%2Fimg.codes%2F4LmsIiQic/c_img2={c_img2_enc}/q=Rugby+World+Cup+Japan+2019+Live+Stream/
=> (Shares newly entered user info with gamepopz[.]com)
- hxxps://gamepopz[.]com/registration?theme=allsports-direct&v_id=ef789c59-a352-0539-4ade-fd39382dc784&info=eyJ1c2VybmFtZSI6InRlc3RAaG90bWFpbC5jb20iLCJwYXNzd29yZCI6IklhbUFQYXNzd29yZCJ9&page=allsports-direct&pubid=47401&clickid=3479603723.537103.b911a2a2f5.31672.e9f57fe10e56cad9b34aa4ccb14a326c&a_aid=514b2121ef654
Note: The URL info parameter contains my entered email address and password encoded in Base64.
Base 64 Decoded produces: {"username":"test@hotmail[.]com","password":"IamAPassword"}
=> (Credit Card Validation Page)
- hxxps://gamepopz[.]com/subscriptions/checkoutaff/allsports-direct
Suspicious Ebook Advertiser: best-online-books[.]com
This one shares the newly created account information in plain text with other sites.
(Advertising site)
hxxps://get-ebooks[.]club/book/3.Harry_Potter_and_the_Sorcerer_s_Stone
=> (Affiliate Redirectors) not listed for brevity
=> (Potential Scam Landing Page, Create a free account with fake info)
- hxxps://best-online-books[.]com/9375-4-1ce92b4a/signup-spry/#/z=46801/dp=3479603723.537428.2c19c4bf94.31267.680a50433aab8811514339d8a244cfd3/q=Harry+Potter+and+the+Sorcerer%27s+Stone/
=> (Shares newly entered user info with others in plain text)
- hxxps://email.perfectvalidation[.]com/push/?trafficsource=MH&email=test%40hotmail[.]com&zoneid=46801&clickid=3479603723.537422.3c26400f88.31267.064ed18a92f851ae8c940e181f450dd0&tags%5B%5D=books&query=Harry%20Potter%20and%20the%20Sorcerer%27s%20Stone
- hxxp://runslin[.]com/?email=test%40hotmail[.]com&password=IamAPassword&a_aid=MhB&data3=&data4=pc&a_bid=b7920773&data1=46801&data2=3479603723.537422.3c26400f88.31267.064ed18a92f851ae8c940e181f450dd0
=> (Credit Card Validation Page)
- hxxps://vibeall[.]com/joinnow/step2.php
OR
- hxxps://viewhall[.]com/joinnow/step2.php
Note how similar looking both websites are.
Reviews By Victims:
hxxps://www.scamadviser[.]com/check-website/viewhall[.]com
hxxps://www.scamadviser[.]com/check-website/vibeall[.]com
Landing Pages Share Similarity
Some landing pages appear to share a common FREE Account template, which indicates they are related and possibly owned by the same actor group.
Landing page of alllivesport[.]com
![Landing page of alllivesport[.]com](/blog/threat-research/free-rugby-world-cup-streaming-foul-play/_jcr_content/root/responsivegrid/image_846513891.img.png/1570207591407/rugby-eight.png)
Landing Page of movie-streams-online[.]com
Potential Scam IOCs
Advertising Free Service Sites
hxxp://ebook0919a2b[.]club/
hxxp://epicofebook[.]com/
hxxps://spinbook[.]net/
hxxps://mediabks[.]com/
hxxps://www.nwcbooks[.]com/
hxxp://find-files[.]com/
hxxps://just-watch-it[.]com/
hxxps://allsports4free[.]live/
hxxps://rugbyworldcup[.]xyz/
hxxps://2019rugbyworldcup[.]online/
hxxp://rugbychampionship2019[.]info/live/
Free Streaming Landing Pages
hxxps://movie-streams-online[.]com/
hxxps://live-sport-streams[.]com/
hxxps://allsports4free[.]live/
Free Ebooks Landing Pages
hxxps://coreplays[.]com/
hxxps://best-online-books[.]com/
hxxps://vibeall[.]com/
hxxp://ebook0919a2b[.]club/
Dynamic Redirector Domains
74lhpp2gt696[.]com
97oxono2oszo[.]com
a1qrfcnpvgbonol[.]com
ahf8n[.]com
book88c[.]club
cbegnypbairlnaprvv[.]com
checkebooks[.]download
crsrva24yz9s0[.]com
d10e2mfu67ch[.]com
dl11a[.]club
downloadplayer[.]xyz
ebooksonline[.]site
eecain7y[.]com
eecain7z[.]com
get-movies[.]club
get-sports[.]club
good-read[.]club
ing6liey[.]com
live-sports[.]me
mlb-streams[.]club
movie-plex[.]club
moviesfree[.]site
ms3t[.]club
nagubalnqfvi[.]com
ohmoo7ie[.]com
qnirnqfvi[.]com
qnirqryvirelv[.]com
recommendedforyou[.]xyz
rei6ohka[.]com
secure2t5z3[.]com
seyai0ui[.]com
shil8[.]com
soccer-streams[.]club
sports99[.]club
streamsportslive[.]online
taew5[.]com
ue3zaini[.]com
vod78d[.]club
wnzvrqryvirelv[.]com
xl415[.]com
xmediaserve[.]com
xoyoun5j8yzi[.]com
yxyug24kwhqe[.]com
zeezi4ei[.]com
Dynamic Redirecting URLs (Removed Query Parameters)
hxxp://74lhpp2gt696[.]com/tuname.php
hxxp://97oxono2oszo[.]com/tuname.php
hxxp://a1qrfcnpvgbonol[.]com/tuname.php
hxxp://ahf8n[.]com/tuname.php
hxxp://cbegnypbairlnaprvv[.]com/tuname.php
hxxp://checkebooks[.]download/tuname.php
hxxp://d10e2mfu67ch[.]com/tuname.php
hxxp://eaudio.checkebooks[.]download/tuname.php
hxxp://ebooks.checkebooks[.]download/tuname.php
hxxp://eecain7y[.]com/tuname.php
hxxp://eecain7z[.]com/tuname.php
hxxp://epdf.checkebooks[.]download/tuname.php
hxxp://epud.checkebooks[.]download/tuname.php
hxxp://eread.checkebooks[.]download/tuname.php
hxxp://fb[.]downloadplayer[.]xyz/tuname.php
hxxp://ing6liey[.]com/tuname.php
hxxp://nagubalnqfvi[.]com/tuname.php
hxxp://ohmoo7ie[.]com/tuname.php
hxxp://qnirnqfvi[.]com/tuname.php
hxxp://qnirqryvirelv[.]com/tuname.php
hxxp://rei6ohka[.]com/tuname.php
hxxp://secure2t5z3[.]com/tuname.php
hxxp://seyai0ui[.]com/tuname.php
hxxp://shil8[.]com/tuname.php
hxxp://sports99[.]club/tuname.php
hxxp://taew5[.]com/tuname.php
hxxp://ue3zaini[.]com/tuname.php
hxxp://vod78d[.]club/tuname.php
hxxp://wnzvrqryvirelv[.]com/tuname.php
hxxp://www.xl415[.]com/tuname.php
hxxp://www.xoyoun5j8yzi[.]com/tuname.php
hxxp://www1.xmediaserve[.]com/tuname.php
hxxp://xoyoun5j8yzi[.]com/tuname.php
hxxp://yxyug24kwhqe[.]com/tuname.php
hxxp://zeezi4ei[.]com/tuname.php
hxxp://book88c[.]club/tuname.php
hxxp://crsrva24yz9s0[.]com/tuname.php
hxxp://dl11a[.]club/tuname.php
hxxp://ebooksonline[.]site/tuname.php
hxxp://eecain7z[.]com/tuname.php
hxxp://fb.get-movies[.]club/tuname.php
hxxp://fb.get-sports[.]club/tuname.php
hxxp://fb.good-read[.]club/tuname.php
hxxp://fb[.]live-sports[.]me/tuname.php
hxxp://fb.mlb-streams[.]club/tuname.php
hxxp://fb.movie-plex[.]club/tuname.php
hxxp://fb.recommendedforyou[.]xyz/tuname.php
hxxp://fb.soccer-streams[.]club/tuname.php
hxxp://moviesfree[.]site/tuname.php
hxxp://ms3t[.]club/tuname.php
hxxp://rei6ohka[.]com/tuname.php
hxxp://seyai0ui[.]com/tuname.php
hxxp://shil8[.]com/tuname.php
hxxp://sports99[.]club/tuname.php
hxxp://streamsportslive[.]online/tuname.php
hxxp://taew5[.]com/tuname.php
hxxp://ue3zaini[.]com/tuname.php
hxxp://vod78d[.]club/tuname.php
hxxp://wnzvrqryvirelv[.]com/tuname.php
hxxp://zeezi4ei[.]com/tuname.php
Redirector Hosting IPs
168.88.170.2
172.217.28.108
172.31.53.140
172.96.187.211
179.43.176.163
198.19.97.17
209.85.202.211
209.99.40.222
209.99.40.223
216.58.223.236
37.1.202.16
37.1.223.152
62.217.251.222
67.227.226.240
78.140.181.169
78.140.181.183
78.140.181.188
78.140.190.230
As you can see, the lesson here is to be cautious of any free streaming website, it might be more than it seems. Doing an internet search using ‘free streaming sites for rugby world cup’ elicited 110 million webpages. Many of these sites are suspicious and likely contain malware. Our advice is that if you must watch sports online, it is best that you purchase from a legitimate streaming service.
Learn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Sign up for our weekly FortiGuard Threat Brief.
Read about the FortiGuard Security Rating Service, which provides security audits and best practices.
