Free Rugby World Cup Streaming Service Can Be a Foul Play

The internet is a great source for information and entertainment. But it is also rife with fraud schemes, scams, misinformation, and other tactics to exploit your personal and financial data. Cybercriminals often focus on high-profile global events to find target victims in hopes of stealing their financial data.

These criminals target viewers using a variety of strategies. Take for instance the current Rugby World Cup event currently being held in Japan. Many fans can’t make it over to Asia, so they turn to free streaming services or download sports applications to keep them up-to-date on their favorite team. Unfortunately, free is sometimes too good to be true!

While exploring our FortiGuard Labs domains data feed, we found a suspicious site (rugbyworldcup[.]xyz) that did indeed advertise free live streaming of the World Cup. Following the website links ultimately directed us to a potential scam site asking for credit card information. What was supposed to be free, was not free any longer.

However, during our investigation of rugbyworldcup[.]xyz, we also visited one of its dynamic redirectors, sports99[.]club, and discovered more so-called free services for such things as free movies, music, and e-books.

We then employed our proprietary sequential log analysis on telemetry data and found a few more of these “free” services. And when we tested them, we learned that they all share a common scheme:

  • Advertising sites that promote free services
    • Watch/Download Free Movies
    • Download Free E-books
    • Watch Live Sports Free
       
  • Advertising sites that link to one or more affiliate networks and directs the user to the so-called free service site
  • Free service sites (advertisers) ask users to create a free user account by providing an email address and password
  • Free service sites share newly entered user info with one or more external sites (sometimes transmitted in plain text!) and then direct the user to the final account validation site
  • The account validation site prompts the user to enter their credit card information to “validate” their account. The free account is not created until the user submits their credit card information
  • User reviews online indicate fraud because they subsequently find unauthorized credit card charges from these so-called free service companies

Here are a few of the suspicious sites we uncovered during our investigation.

Suspicious Sports Advertiser 1:

alllivesport[.]com
(Advertising sites)

  • hxxps://rugbyworldcup[.]xyz/#Rugby_World_Cup_2019_Teams
  • hxxps://2019rugbyworldcup[.]online/
  • hxxp://rugbychampionship2019[.]info/live/

=> (Affiliate Redirector) 

  • hxxp://www.affforce[.]com/scripts/un981c6l?a_aid=d022be2e&a_bid=70104349

=> (Potential Scam Landing Page, Create a free account with fake info)

  • hxxps://alllivesport[.]com/sp2/?bg=rwc2019.jpg&a=2&clickid=5d850ce60a5df4000155f4b3&pubid=8922&q=WATCH%202019%20RUGBY%20WORLD%20CUP%20LIVE

=> (Shares newly entered user info with fastplayz[.]com)

  • hxxps://fastplayz[.]com/registration?theme=allsports-direct&v_id=463adf18-fa93-4d81-fc8e-db1ab8337ec4&info=eyJ1c2VybmFtZSI6InRlc3RAaG90bWFpbC5jb20iLCJwYXNzd29yZCI6IklhbUFQYXNzd29yZCJ9%3D&a_aid=864kjuyuio54&page=allsports-direct&clickid=5d850ce60a5df4000155f4b3&pubid=8922

Note: The URL info parameter contains my entered email address and password encoded in Base64.
Base 64 Decoded produces: {“username”:”test@hotmail[.]com”,”password”:”IamAPassword”}

=> (Credit Card Validation Page)

  • hxxps://fastplayz[.]com/subscriptions/checkoutaff/allsports-direct

Suspicious Sports Advertiser 2:

live-sport-streams[.]com

This one is very similar to alllivesport[.]com.

(Advertising sites)

  • hxxps://rugbyworldcup[.]xyz/
  • hxxps://www.rugbyworldcupjp[.]com/live/

=> (Dynamic Redirector1)

  • hxxps://sports99[.]club/tuname.php?&d=1&z=31672&lpage=s-dual-rugby&c_bg=%2F%2Fimg.codes%2FuftjcYhic&c_img1=%2F%2Fimg.codes%2F4LmsIiQic&q=Rugby+World+Cup+Japan+2019+Live+Stream

OR

=> (Dynamic Redirector2)

  • hxxps://www.affforce[.]com/scripts/un981c6l?a_aid=d022be2e&a_bid=d8ec0a95

=> (Potential Scam Landing Page, Create a free account with email address and password)

  • hxxps://live-sport-streams[.]com/9375-5-d5cecf7a/signup-dual/rugby/#/z=47401/dp=3479603723.537103.287de6b56d.31672.5a7af23a64dbdb158e830c9b8a56e98f/c_bg=%2F%2Fimg.codes%2FuftjcYhic/c_img1=%2F%2Fimg.codes%2F4LmsIiQic/c_img2={c_img2_enc}/q=Rugby+World+Cup+Japan+2019+Live+Stream/

=> (Shares newly entered user info with gamepopz[.]com)

  • hxxps://gamepopz[.]com/registration?theme=allsports-direct&v_id=ef789c59-a352-0539-4ade-fd39382dc784&info=eyJ1c2VybmFtZSI6InRlc3RAaG90bWFpbC5jb20iLCJwYXNzd29yZCI6IklhbUFQYXNzd29yZCJ9&page=allsports-direct&pubid=47401&clickid=3479603723.537103.b911a2a2f5.31672.e9f57fe10e56cad9b34aa4ccb14a326c&a_aid=514b2121ef654

Note: The URL info parameter contains my entered email address and password encoded in Base64.

Base 64 Decoded produces: {“username”:”test@hotmail[.]com”,”password”:”IamAPassword”}

=> (Credit Card Validation Page)

  • hxxps://gamepopz[.]com/subscriptions/checkoutaff/allsports-direct

Suspicious Ebook Advertiser: best-online-books[.]com

This one shares the newly created account information in plain text with other sites.

(Advertising site)
hxxps://get-ebooks[.]club/book/3.Harry_Potter_and_the_Sorcerer_s_Stone

=> (Affiliate Redirectors) not listed for brevity
=> (Potential Scam Landing Page, Create a free account with fake info)

  • hxxps://best-online-books[.]com/9375-4-1ce92b4a/signup-spry/#/z=46801/dp=3479603723.537428.2c19c4bf94.31267.680a50433aab8811514339d8a244cfd3/q=Harry+Potter+and+the+Sorcerer%27s+Stone/

=> (Shares newly entered user info with others in plain text)

  • hxxps://email.perfectvalidation[.]com/push/?trafficsource=MH&email=test%40hotmail[.]com&zoneid=46801&clickid=3479603723.537422.3c26400f88.31267.064ed18a92f851ae8c940e181f450dd0&tags%5B%5D=books&query=Harry%20Potter%20and%20the%20Sorcerer%27s%20Stone
  • hxxp://runslin[.]com/?email=test%40hotmail[.]com&password=IamAPassword&a_aid=MhB&data3=&data4=pc&a_bid=b7920773&data1=46801&data2=3479603723.537422.3c26400f88.31267.064ed18a92f851ae8c940e181f450dd0

=> (Credit Card Validation Page)

  • hxxps://vibeall[.]com/joinnow/step2.php

Note how similar looking both websites are.

Reviews By Victims:

hxxps://www.scamadviser[.]com/check-website/viewhall[.]com
hxxps://www.scamadviser[.]com/check-website/vibeall[.]com

Landing Pages Share Similarity

Some landing pages appear to share a common FREE Account template, which indicates they are related and possibly owned by the same actor group.

Landing page of alllivesport[.]com

Potential Scam IOCs

Advertising Free Service Sites

hxxp://ebook0919a2b[.]club/
hxxp://epicofebook[.]com/
hxxps://spinbook[.]net/
hxxps://mediabks[.]com/
hxxps://www.nwcbooks[.]com/
hxxp://find-files[.]com/
hxxps://just-watch-it[.]com/
hxxps://allsports4free[.]live/
hxxps://rugbyworldcup[.]xyz/
hxxps://2019rugbyworldcup[.]online/
hxxp://rugbychampionship2019[.]info/live/

Free Streaming Landing Pages

hxxps://movie-streams-online[.]com/
hxxps://live-sport-streams[.]com/
hxxps://allsports4free[.]live/

Free Ebooks Landing Pages

hxxps://coreplays[.]com/
hxxps://best-online-books[.]com/
hxxps://vibeall[.]com/
hxxp://ebook0919a2b[.]club/

Dynamic Redirector Domains

74lhpp2gt696[.]com
97oxono2oszo[.]com
a1qrfcnpvgbonol[.]com
ahf8n[.]com
book88c[.]club
cbegnypbairlnaprvv[.]com
checkebooks[.]download
crsrva24yz9s0[.]com
d10e2mfu67ch[.]com
dl11a[.]club
downloadplayer[.]xyz
ebooksonline[.]site
eecain7y[.]com
eecain7z[.]com
get-movies[.]club
get-sports[.]club
good-read[.]club
ing6liey[.]com
live-sports[.]me
mlb-streams[.]club
movie-plex[.]club
moviesfree[.]site
ms3t[.]club
nagubalnqfvi[.]com
ohmoo7ie[.]com
qnirnqfvi[.]com
qnirqryvirelv[.]com
recommendedforyou[.]xyz
rei6ohka[.]com
secure2t5z3[.]com
seyai0ui[.]com
shil8[.]com
soccer-streams[.]club
sports99[.]club
streamsportslive[.]online
taew5[.]com
ue3zaini[.]com
vod78d[.]club
wnzvrqryvirelv[.]com
xl415[.]com
xmediaserve[.]com
xoyoun5j8yzi[.]com
yxyug24kwhqe[.]com
zeezi4ei[.]com

Dynamic Redirecting URLs (Removed Query Parameters)

hxxp://74lhpp2gt696[.]com/tuname.php           
hxxp://97oxono2oszo[.]com/tuname.php           
hxxp://a1qrfcnpvgbonol[.]com/tuname.php        
hxxp://ahf8n[.]com/tuname.php                  
hxxp://cbegnypbairlnaprvv[.]com/tuname.php     
hxxp://checkebooks[.]download/tuname.php       
hxxp://d10e2mfu67ch[.]com/tuname.php           
hxxp://eaudio.checkebooks[.]download/tuname.php
hxxp://ebooks.checkebooks[.]download/tuname.php
hxxp://eecain7y[.]com/tuname.php               
hxxp://eecain7z[.]com/tuname.php               
hxxp://epdf.checkebooks[.]download/tuname.php  
hxxp://epud.checkebooks[.]download/tuname.php  
hxxp://eread.checkebooks[.]download/tuname.php 
hxxp://fb[.]downloadplayer[.]xyz/tuname.php      
hxxp://ing6liey[.]com/tuname.php               
hxxp://nagubalnqfvi[.]com/tuname.php           
hxxp://ohmoo7ie[.]com/tuname.php               
hxxp://qnirnqfvi[.]com/tuname.php              
hxxp://qnirqryvirelv[.]com/tuname.php          
hxxp://rei6ohka[.]com/tuname.php               
hxxp://secure2t5z3[.]com/tuname.php            
hxxp://seyai0ui[.]com/tuname.php               
hxxp://shil8[.]com/tuname.php                  
hxxp://sports99[.]club/tuname.php              
hxxp://taew5[.]com/tuname.php                   
hxxp://ue3zaini[.]com/tuname.php               
hxxp://vod78d[.]club/tuname.php                
hxxp://wnzvrqryvirelv[.]com/tuname.php         
hxxp://www.xl415[.]com/tuname.php              
hxxp://www.xoyoun5j8yzi[.]com/tuname.php       
hxxp://www1.xmediaserve[.]com/tuname.php       
hxxp://xoyoun5j8yzi[.]com/tuname.php           
hxxp://yxyug24kwhqe[.]com/tuname.php           
hxxp://zeezi4ei[.]com/tuname.php               
hxxp://book88c[.]club/tuname.php              
hxxp://crsrva24yz9s0[.]com/tuname.php         
hxxp://dl11a[.]club/tuname.php                
hxxp://ebooksonline[.]site/tuname.php         
hxxp://eecain7z[.]com/tuname.php              
hxxp://fb.get-movies[.]club/tuname.php        
hxxp://fb.get-sports[.]club/tuname.php        
hxxp://fb.good-read[.]club/tuname.php         
hxxp://fb[.]live-sports[.]me/tuname.php         
hxxp://fb.mlb-streams[.]club/tuname.php       
hxxp://fb.movie-plex[.]club/tuname.php        
hxxp://fb.recommendedforyou[.]xyz/tuname.php  
hxxp://fb.soccer-streams[.]club/tuname.php    
hxxp://moviesfree[.]site/tuname.php           
hxxp://ms3t[.]club/tuname.php                 
hxxp://rei6ohka[.]com/tuname.php               
hxxp://seyai0ui[.]com/tuname.php              
hxxp://shil8[.]com/tuname.php                 
hxxp://sports99[.]club/tuname.php             
hxxp://streamsportslive[.]online/tuname.php   
hxxp://taew5[.]com/tuname.php                 
hxxp://ue3zaini[.]com/tuname.php              
hxxp://vod78d[.]club/tuname.php               
hxxp://wnzvrqryvirelv[.]com/tuname.php        
hxxp://zeezi4ei[.]com/tuname.php     

Redirector Hosting IPs

168.88.170.2  
172.217.28.108
172.31.53.140 
172.96.187.211
179.43.176.163
198.19.97.17  
209.85.202.211
209.99.40.222 
209.99.40.223 
216.58.223.236
37.1.202.16   
37.1.223.152  
62.217.251.222
67.227.226.240
78.140.181.169
78.140.181.183
78.140.181.188
78.140.190.230

As you can see, the lesson here is to be cautious of any free streaming website, it might be more than it seems. Doing an internet search using ‘free streaming sites for rugby world cup’ elicited 110 million webpages. Many of these sites are suspicious and likely contain malware. Our advice is that if you must watch sports online, it is best that you purchase from a legitimate streaming service.  

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolioSign up for our weekly FortiGuard Threat Brief. 

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.

Fortigate is an enterprise network security appliance that works with Cloud Bare Metal. Contact us to find out our latest offers!

Comments are closed.

>