What We Do
How we do it
Resources
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Mar 20, 2023
Exertis and eSentire Partner to Deliver 24/7 Multi-Signal MDR, Digital Forensics & IR Services and Exposure Management to Organisations Across the UK, Ireland, and Europe
Basingstoke, UK– 20 March, 2023. Leading technology distributor, Exertis, announced today that it has bolstered its cybersecurity services, adding eSentire, the Authority in Managed Detection and Response (MDR), to its Enterprise portfolio of offerings. eSentire’s award-winning, 24/7 multi-signal MDR, Digital Forensics & Incident Response (IR), and Exposure Management services will be available…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Jul 18, 2019

Reddit's r/tennis Serves up a RIG'd Wimbledon Stream

3 minutes read
Speak With A Security Expert Now

Summary

eSentire recently investigated an incident involving RIG Exploit Kit which was linked to a Reddit discussion post on Wimbledon. The victim was browsing /r/tennis and attempted to load several streaming links from the popular subreddit. Unfortunately, instead of streaming a tennis match, they were served up an exploit kit.

RIG Exploit Kit

The RIG Exploit Kit (EK) was a major player in 2017, seeing both widespread use and success. Arrests and coordinated takedowns almost completed halted the popularity of RIG EK. Operation Shadowfall was the name given to a coordinated effort by RSA, GoDaddy and several independent researchers that resulted in the dismantling of large portions of infrastructure associated with RIG EK in 2017 [1]. The RIG exploit kit has recently seen some resurgence and is relying on Flash and Internet Explorer vulnerabilities to deliver a variety of payloads [2].

The Reddit Connection

eSentire’s Security Operations Center was initially alerted to the exploit attempts from a RIG EK on 94[.]250[.]254[.]73. Once the event was triaged and contained, an investigation into the origin of the EK began. Root cause analysis revealed a series of web transactions – or referers – from the original site the user purposely visited to the page hosting the exploit kit. Analysis revealed that cricfree[.]cc was to blame, as it kicked off a series of redirects to the EK.

Reviewing packet capture data shows the user was on the Reddit Wimbledon discussion page when they clicked a link to cricfree[.]cc/tennis-live-streaming, which served a 302 redirect to mybetterdl[.]com.

[image src="/assets/Wimbledon1.png" id="2323" width="375" height="116" class="center ss-htmleditorfield-file image" title="Wimbledon1"]

This results in a few more 302 redirects:

[image src="/assets/Wimbledon2.png" id="2324" width="375" height="109" class="center ss-htmleditorfield-file image" title="Wimbledon2"]

Then another one, this time to makemoneyeasywith[.]me:

[image src="/assets/Wimbledon3.png" id="2325" width="375" height="119" class="center ss-htmleditorfield-file image" title="Wimbledon3"]

Finally we see RIG getting served:

[image src="/assets/Fimbledon4.png" id="2326" width="375" height="130" class="center ss-htmleditorfield-file image" title="Fimbledon4"]

Some quick Googling shows cricfree[.]cc appears in both threads but also the /r/tennis sidebar:

[image src="/assets/Wimbledon5.png" id="2329" width="375" height="356" class="center ss-htmleditorfield-file image" title="Wimbledon5"]

Exploring Reddit, we see the link is still live:

[image src="/assets/Wimbledon6-v2.png" id="2330" width="400" height="284" class="center ss-htmleditorfield-file image" title="Wimbledon6 v2"]

Finally viewing the Wimbledon discussion thread, it’s easy to see how the victim accessed the supposed streaming link:

[image src="/assets/Wimbledon7.png" id="2331" width="400" height="400" class="center ss-htmleditorfield-file image" title="Wimbledon7"]

Implications for the Workplace, The Open Championship, and Other Sporting Events

Reddit has long been a source for sports fans to obtain access to pirated sports streams. While the r/tennis subreddit still has a link to the cricfree[.]cc in its sidebar, subreddits that focus on providing illegal streams such as r/soccerstreams and /nbastreams have recently been banned from the site.

These Reddit bans however, have not made illegal streaming disappear. As an example, this week, The Open Championship (aka The Bristish Open) begins, and for people who want to watch one of golf’s four major tournaments, a quick Google search for “Golf Streams” reveals more than 39 million search results. Some of these results steer users to legitimate sites that are licensed to provide streams of PGA events (typically for a fee), but the vast majority of these results direct fans towards sites that host “free” illegal streams.

For these pirate streaming sites to be sustainable; they must be profitable. As a user, if you aren’t paying for a stream, it likely means that money being made off of you in some way, shape or form.

In most cases, that revenue would come from website forcing users to view web ads before (or while viewing a stream), but as demonstrated above, these websites could also be directing you to malware in hopes of monetizing your illegal streaming by exploiting your computer or your personal data.

For organizations with more lenient web access policies, the illegal streaming of sporting events that occur during core operational hours such as tennis or golf tournaments, March Madness, and the Olympics represent a significant potential risk. As demonstrated, these pirate streaming sites can and do host malware, and even though employees know these sites are likely to be illegitimate in nature, the desire to not miss “the big game” may cause them to access these sites anyway, exposing not only their workstations but their entire organizations to threats.

Recommendations to Protect Your Business

If you are wanting to protect your organization from the threat posed by illegal online streaming, eSentire Threat Intelligence makes the following recommendations.

View Most Recent Blogs
eSentire Threat Intel
eSentire Threat Intel Threat Intelligence Research Group