What We Do
How we do it
Resources
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Sep 20, 2022
eSentire Recognized as Top Global MDR Provider by MSSP Alert, CrowdStrike and G2
Waterloo, ON - September 21, 2022 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), celebrated multiple industry recognitions as the leading global MDR provider, over the last week: Named #9, and the top pure play MDR provider on MSSP Alert’s Top 250 MSSPs global rankingRecognized as the CrowdStrike 2022 Global MSSP Partner of the Year Earned G2’s industry-renowned status…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Jul 18, 2019

Reddit's r/tennis Serves up a RIG'd Wimbledon Stream

3 minutes read
Speak With A Security Expert Now

Summary

eSentire recently investigated an incident involving RIG Exploit Kit which was linked to a Reddit discussion post on Wimbledon. The victim was browsing /r/tennis and attempted to load several streaming links from the popular subreddit. Unfortunately, instead of streaming a tennis match, they were served up an exploit kit.

RIG Exploit Kit

The RIG Exploit Kit (EK) was a major player in 2017, seeing both widespread use and success. Arrests and coordinated takedowns almost completed halted the popularity of RIG EK. Operation Shadowfall was the name given to a coordinated effort by RSA, GoDaddy and several independent researchers that resulted in the dismantling of large portions of infrastructure associated with RIG EK in 2017 [1]. The RIG exploit kit has recently seen some resurgence and is relying on Flash and Internet Explorer vulnerabilities to deliver a variety of payloads [2].

The Reddit Connection

eSentire’s Security Operations Center was initially alerted to the exploit attempts from a RIG EK on 94[.]250[.]254[.]73. Once the event was triaged and contained, an investigation into the origin of the EK began. Root cause analysis revealed a series of web transactions – or referers – from the original site the user purposely visited to the page hosting the exploit kit. Analysis revealed that cricfree[.]cc was to blame, as it kicked off a series of redirects to the EK.

Reviewing packet capture data shows the user was on the Reddit Wimbledon discussion page when they clicked a link to cricfree[.]cc/tennis-live-streaming, which served a 302 redirect to mybetterdl[.]com.

[image src="/assets/Wimbledon1.png" id="2323" width="375" height="116" class="center ss-htmleditorfield-file image" title="Wimbledon1"]

This results in a few more 302 redirects:

[image src="/assets/Wimbledon2.png" id="2324" width="375" height="109" class="center ss-htmleditorfield-file image" title="Wimbledon2"]

Then another one, this time to makemoneyeasywith[.]me:

[image src="/assets/Wimbledon3.png" id="2325" width="375" height="119" class="center ss-htmleditorfield-file image" title="Wimbledon3"]

Finally we see RIG getting served:

[image src="/assets/Fimbledon4.png" id="2326" width="375" height="130" class="center ss-htmleditorfield-file image" title="Fimbledon4"]

Some quick Googling shows cricfree[.]cc appears in both threads but also the /r/tennis sidebar:

[image src="/assets/Wimbledon5.png" id="2329" width="375" height="356" class="center ss-htmleditorfield-file image" title="Wimbledon5"]

Exploring Reddit, we see the link is still live:

[image src="/assets/Wimbledon6-v2.png" id="2330" width="400" height="284" class="center ss-htmleditorfield-file image" title="Wimbledon6 v2"]

Finally viewing the Wimbledon discussion thread, it’s easy to see how the victim accessed the supposed streaming link:

[image src="/assets/Wimbledon7.png" id="2331" width="400" height="400" class="center ss-htmleditorfield-file image" title="Wimbledon7"]

Implications for the Workplace, The Open Championship, and Other Sporting Events

Reddit has long been a source for sports fans to obtain access to pirated sports streams. While the r/tennis subreddit still has a link to the cricfree[.]cc in its sidebar, subreddits that focus on providing illegal streams such as r/soccerstreams and /nbastreams have recently been banned from the site.

These Reddit bans however, have not made illegal streaming disappear. As an example, this week, The Open Championship (aka The Bristish Open) begins, and for people who want to watch one of golf’s four major tournaments, a quick Google search for “Golf Streams” reveals more than 39 million search results. Some of these results steer users to legitimate sites that are licensed to provide streams of PGA events (typically for a fee), but the vast majority of these results direct fans towards sites that host “free” illegal streams.

For these pirate streaming sites to be sustainable; they must be profitable. As a user, if you aren’t paying for a stream, it likely means that money being made off of you in some way, shape or form.

In most cases, that revenue would come from website forcing users to view web ads before (or while viewing a stream), but as demonstrated above, these websites could also be directing you to malware in hopes of monetizing your illegal streaming by exploiting your computer or your personal data.

For organizations with more lenient web access policies, the illegal streaming of sporting events that occur during core operational hours such as tennis or golf tournaments, March Madness, and the Olympics represent a significant potential risk. As demonstrated, these pirate streaming sites can and do host malware, and even though employees know these sites are likely to be illegitimate in nature, the desire to not miss “the big game” may cause them to access these sites anyway, exposing not only their workstations but their entire organizations to threats.

Recommendations to Protect Your Business

If you are wanting to protect your organization from the threat posed by illegal online streaming, eSentire Threat Intelligence makes the following recommendations.

Join 100,000+ Security Leaders

Get notified of the latest news, intel and helpful tools & assets. You can unsubscribe anytime.

By clicking the button below I confirm that I have read and agree to the eSentire privacy policy.

View Most Recent Blogs
eSentire Threat Intel
eSentire Threat Intel Threat Intelligence Research Group