“Free World Cup stream” sites are serving scams, not football

MITRE Techniques

• [T1204.001 ] User Execution: Malicious Link – The page waits for the user’s first click or tap and uses it to launch ads in a new tab or window (‘the first tap is hijacked’ and ‘a script waits for your first click or tap anywhere on the page’).
• [T1055 ] Process Injection – The article describes ads being injected into the player area when the user tries to watch (‘more ads are injected into the player area’).
• [T1189 ] Drive-by Compromise – Visiting the deceptive streaming pages can expose users to scams, redirects, and malicious downloads simply by loading the site (‘visitors end up facing scams, malware, and fraudulent downloads’).
• [T1566.002 ] Phishing: Spearphishing Link – Fake notifications and prompts are designed to trick users into clicking deceptive content (‘fake message notifications’ and prompts such as ‘Click Resume to continue’).
• [T1027 ] Obfuscated Files or Information – The operation relies on hidden 1×1-pixel ads and invisible page elements to conceal ad activity (‘tiny, invisible 1×1-pixel ads’).
• [T1496 ] Resource Hijacking – The sites monetize user activity by generating paid ad views through hidden and forced ad loads (‘you’re the unwitting traffic’ and ‘generate paid ad views’).
• [T1105 ] Ingress Tool Transfer – The pages pull streams from third-party piracy services and external ad domains (‘the stream is pulled from a third-party piracy service’).
• [T1071 ] Application Layer Protocol – The page loads many ad and tracking scripts from external domains over web protocols (‘loads eight or more ad and tracking scripts from the same shady network’).