March Madness Hoops Baskets of Malware, Scams

As the Sweet Sixteen round continues for March Madness, the increased interest in the tournament has also attracted the attention of threat actors who've produced a variety of ways to trick fans into downloading malicious code.

Zscaler researchers have observed multiple threats, including a clear upward spike in malicious activity over the last 15 days since the tournament began, such as phishing pages, adware downloads, improper handling of user data and attempts at domain squatting.

March Madness, the annual NCAA college and university-level basketball tournament, has seen its best ratings in years this season. According to the NCAA and Nielsen stats, the 2017 NCAA Tournament was the most-watched in 24 years for its opening weekend, with an average of 9.325 million viewers, which is up 10% from 2016. NCAA March Madness Live has generated an all-time record 69.1 million live streams through the first Sunday of the tournament, an increase of 24% over last year. And, official March Madness social media handles generated 26 million social engagements across Twitter, Facebook and Instagram through last Sunday, which is up 20% year-over-year.

This increased activity is translating into more users streaming games and checking their brackets for updates. Zscaler said that it saw the traffic in this category increase by 100% during the game week.

The dangers are diverse. For instance, if fans are looking to stream the NCAA tournament for free, they can easily find the games at But they have options—not good ones.

“A simple Google search of the phrase ‘NCAA free streaming’ yields some dubious results, including this one from ifirstrowus[.]eu which comes up as the fifth hit on the search page. Basketball enthusiasts that click through this site to watch the games will be sorely disappointed. Instead of watching their alma mater, they will be redirected to a site that installs a browser hijacker, which prompts users to install toolbars and change the homepage to search.searchliveson[.]com to continue watching the game.”

Also, domain-squatted addresses can be used to host phishing webpages that steal user credentials and other information.

As is typical with top sporting events, the bad guys are looking to take advantage of a wide audience.

“The best advice we can offer is to be sure to use NCAA-sanctioned bracket applications through your web browser,” Zscaler noted. “There are many third-party sites out there that attempt to probe the user to create login credentials. We observed that one such application collects a username and password and then transmits it in the clear. This plain text credential transfer makes the connection vulnerable to sniffing attacks. Since users commonly set the same login credentials for multiple websites, the attackers might gain access to users' email accounts, bank accounts, tax preparation accounts etc.”

What’s Hot on Infosecurity Magazine?