Top sports websites unleash foul play in the enterprise

If you are not familiar with March Madness (because I guess you live under a rock — or don’t live in the U.S.), it’s a single-elimination college basketball tournament played each spring, featuring 68 teams competing for one championship title.

It’s one of the most anticipated events in college sports and as we head into tonight’s championship game it’s clear that viewership in person, on TV and online only increased.

In 2015, March Madness set an all-time record with 80.7 million live video streams and 17.8 million hours of live video consumption, up 17 and 19 percent respectively from the previous year.

“Multi-tasking” is nothing new to employees who often pull up a live stream (or two) to watch the games while at work.

According to Challenger, Gray & Christmas, Inc., employers will lose $1.3 billion in decreased productivity during March Madness and this year, IT will not only have to manage bandwidth consumption and decreased productivity, but also increased risk.

To determine what the threat landscape on the Web looks like for sports fans watching the games online, we analyzed the top 10 sports websites in the U.S. based on the Alexa ranking.

These 10 sites are the most visited during March Madness, with sports fans regularly checking their bracket and streaming games to see if their favorite teams are advancing to the next stage. The tests we ran were designed to determine the amount of code used by the sites and the system versions behind the scenes used to deliver the content.

What’s not obvious to the end user is that a visit to one of the top 10 sports websites also results in the browser loading active content from many other sources, called “background initiated requests.” Here are the key points we discovered:

  • Sixty percent (6 websites) of the top sports sites are serving active code from risky “background sites” marked as phishing and other frauds
  • On average, when visiting a top 10 sports site in U.S., your browser executes 245 script
  • Visiting a top 10 sports site resulted in the browser loading active code from 152 unique background domains
  • On average, when visiting a top 10 sports website, your browser downloads 4.48MB of code
  • Microsoft-IIS/8.5 was the most prominent vulnerable version reported with known software vulnerabilities
  • Some of the 152 background domains are running software (Apache, PHP, etc.) released in 2010

There are many legitimate reasons why developers use scripts to enhance the user experience of a website today, but similarly attackers can use scripting capabilities for iframe redirects and malvertising links to compromise browsers.

The total number of scripts executed, especially when they are fetched and executed from the risky “background sites” significantly increases the risk of visiting a website.

While the “background initiated requests” greatly facilitate tracking from CDNs and ad-networks, this also means that the website owners have little to no control over the security posture of these “background sites.”

In a number of recent breaches such as Yahoo!, Forbes or the Plenty of Fish ( online dating site, a background site was breached, meaning that a visit to a top ranked site resulted in a malware drop.

For enterprises looking to protect their employees, especially during this time of heightened multitasking at work watching the NCAA tournament, this is a huge challenge.

All of these top sports sites are considered “safe” in the eyes of IT because they are seemingly popular and well-known. Web gateways also do not block trusted sites causing employees to continually get infected. While the recent focus has been on March Madness, this is a challenge year round.

Breaches cost enterprises millions of dollars each year and that number isn’t decreasing any time soon. Detection of known threats on the Web is proving to be very hard for the industry, let alone unknown threats.

The reality is that merely checking a March Madness bracket puts not only the employee at risk, but also the entire enterprise.

If you knew that an employee going to a top 10 sports website in the U.S. exposes their browser to more than 513 scripts from domains already marked as malicious, would it make you think twice?