While following up on the research on a phishing campaign targeting high tech workers our team of Sports-ISAO CrowdWatch analysts discovered a new set of cyber observables (COs) targeting rugby fans.
The Rugby World Cup is currently taking place in Tokyo with the final game set for Saturday, November 2nd. Fans from all over the world, anxious to get access to the final playoffs, are falling prey to a scam advertising “free” streaming sites. In truth, these streaming sites are providing not only pirated video feeds of the games, but also a generous helping of malware that infects viewers’ devices and turns them into bots under the command of the unscrupulous thieves.
“There is no free lunch” is a truism that echos far beyond it’s origins. In fact, in this case, the victims may be subject to theft of personally identifiable information (PII), loss of computing resources from degraded (read: hijacked) services, theft of financial resources or other exploits. Also, importantly, Rugby fans whose devices become infected risk losing control of their devices since it becomes part of a wide-spread botnet that operates at the behest of the bot master. In this case, there is evidence of bitcoin mining code embedded in the malware payloads.
There is also evidence that the criminal gang that operates the Ad Fraud botnet migrated to this schema from a well-developed and highly-orchestrated porn network. Furthermore, unwitting co-conspirators who register as Affiliates are unlikely to see any remuneration from the scheme since the top-dog criminal gang does not even contact his Affiliates after signing up to “recruit” other victims.
Readers of this blog, and sports fans in general, should beware of so-called “free” streaming sites. Avoid them and keep control of your device.
If you are a defender here are the most active malware dropper sites associated with this campaign. These were active as of October 25th and still active as of the time of this writing (Nov. 1, 2019).
For more information or a full list of the Cyber Observables being used in the attack contact us.