Tackling the Scourge of Malicious Streaming Sites During this Year’s FIFA World Cup

Amid the off-the-field controversies, the 2022 FIFA World Cup in Qatar is well and truly up and running, with all the drama, excitement, elation and despair you would expect from football’s premier event.

However, the choice of venue has meant a lower than usual amount of fans reportedly being able to attend in person – caused by factors like cost, infrastructure issues and time of year.

Early reports suggest that this has led to higher-than-average global TV audience figures, with this year’s tournament generating record views, according to FIFA.  

As has been previously reported by Infosecurity, there is an enormous appetite for using illegal streaming websites to view and download high-profile sporting eventsmusic, films and TV shows. This in turn offers a huge opportunity for cyber-criminals to strike – by setting up fake streaming websites purporting to show the event but instead enticing users into downloading malware or giving away payment information.

Timothy Morris, chief security advisor at Tanium, explained: “Fake streaming sites have been around a while but will take advantage of large events (concerts, sports, celebrity news, etc.) to entice users to install malware. They are becoming more sophisticated because they are more seamless and difficult to detect.”

Unsurprisingly, cyber-criminals are heavily targeting this year’s World Cup in this manner. Research from Zscaler ThreatLabz in November 2022 observed a “significant spike” in streaming sites with newly registered domains. The researchers found that many of these websites claiming to offer free streaming of FIFA World Cup matches are malicious, instead redirecting users and prompting them to enter payment card details or download malware. They noted that “similar templates for fake streaming sites appeared in 2020 during the Tokyo Olympics.”

Speaking to Infosecurity about the findings, Deepen Desai, CISO and VP security research at Zscaler, highlighted new techniques being employed by these threat actors, firstly to lure users into entering their malicious sites. “In a new trend, Zscaler ThreatLabz has observed such fake streaming sites links being posted on legitimate sites related to social networking, blogging and forums like Xiaomi, Reddit, OpenSea and LinkedIn, increasing attacker’s chances that a user would click on the link,” he commented.

In addition, threat actors are using novel approaches to spread malware via these sites. “These attacks are not limited to stealing payment card details, but attackers are also using the event to spread adware and malware,” added Desai.

“We have seen FIFA-themed adware claiming to offer free streaming but instead redirects users to unrelated sites for betting, auto trading, etc. Apart from this, ThreatLabz has observed different malware families using search engine optimization (SEO) manipulation techniques to serve the malware specially via PDF files.”

Education, Education, Education

One of the main approaches to mitigating this threat is making users aware of the risks of trying to stream live matches online and showing extreme caution when doing so. After all, such websites are generally promoted by criminals through techniques like phishing. Mike Parkin, senior technical engineer at Vulcan Cyber, explained: “User education and awareness really are key here. Ultimately, these attacks rely heavily on social engineering to convince victims to visit and interact with malicious sites.”

"Ultimately, these attacks rely heavily on social engineering to convince victims to visit and interact with malicious sites”

In the specific case of accessing live matches during the World Cup, it is incumbent on the organizers and governments to properly communicate the legitimate viewing channels, ideally making them as accessible as possible. In some countries, like the UK, events like the football World Cup are on free-to-air TV, but this is only the case for some regions.

For example, Steve Herbert, head of service delivery at Nominet, the official registry for .UK domain names, told Infosecurity that malicious domains around the World Cup in the UK have been “relatively low” this year. “This might be due to the tournament being free to watch in the UK this year, unlike other major sporting events that require a subscription to watch the broadcast. When this happens, scammers know that consumers will be looking for alternatives that will let them watch for free,” he explained.

John Bambenek, principal threat hunter at Netenrich, agreed that the scale of malicious fake World Cup streaming sites will be affected by the accessibility of legitimate television coverage: “Letting potential viewers know where they can watch can help, but if those channels are monetized, there will always be an interest to pirate content.”

Protecting Users from Themselves

Given this reality, it is important that steps are taken to prevent users from falling victim to these fake websites.

This should start with individual organizations, who can use security controls on company devices to block their employees from accessing certain high-risk URL categories, such as newly registered domains or files downloaded from these URL categories.

Zscaler’s Desai noted: “Not all newly registered domains are malicious, but as defenders, it is important that we classify all newly registered domains as suspicious and conduct analysis to weed out hidden offenders. Attackers also use legitimate hosting services to host phishing/malicious content and avoid detection.”

He added: “Signature-based detection for the contents from the website/files can be used to block such attacks hosted on legitimate services.”

Another important step is for major brands and event organizers to report and request the takedown of websites impersonating them in any way, as this is often found on fake malicious streaming sites. “Event organizers can look for brand recognition and take down malicious websites and domains quickly. They are usually pretty easy to find if you are looking,” said Bambenek.

Notably, Zscaler’s research found that most malware and scam campaigns leveraging the ongoing FIFA World Cup are using newly registered domains. Unsurprisingly, therefore, Nominet’s Herbert highlighted the importance of organizations responsible for running internet services taking proactive actions to quickly identify these malicious websites before they cause damage.

“As a responsible registry, we are always checking new domain names being registered in the .UK namespace, as well as those currently in use for any indication of fraudulent or harmful activity,” he explained. “At the point of registration, our solution, Domain Watch, uses machine learning algorithms to score the likelihood of a domain being used for phishing based on a range of predefined words or phrases. Flagged domains are then checked by our in-house compliance team, who deal with the registrant and registrar to determine if it is for legitimate use. We want to ensure legitimate domains are quickly registered while leaving malicious domains suspended.”

Herbert emphasized that monitoring activities should remain an ongoing task: “Post-registration, we also make use of a range of threat feeds to help us to identify malicious activity, including domains being used to distribute malware or command and control activity. Domains flagged are investigated through a range of methods and suspended if there is clear evidence to suggest malicious activity,” he continued.

Ultimately, deterring cybercrime like this requires strong and effective law enforcement, which is only possible through reporting, cooperation and information sharing. This is among all stakeholders, from end users targeted by these scams to organizations that help manage the online world, like Nominet. “We work collaboratively with UK law enforcement to address domains in the namespace and being used for criminal purposes,” said Herbert.

This year’s FIFA World Cup in Qatar has generated huge excitement worldwide, with billions of people expected to tune in during the event. This is an appetite malicious threat actors are seeking to take advantage of, and it is incumbent for the event organizers, internet management firms, law enforcement and, of course, end users, to be vigilant and take appropriate steps to prevent malicious fake streaming sites from ruining anyone’s World Cup experience.

What’s Hot on Infosecurity Magazine?