Piracy(?) scam w/ source code(?)

https://cbslivestreaming.xyz
https://cbslivestreaming.xyz/NFL-2021-Live/
https://cbslivestreaming.xyz/NFL-2021-Live.zip

Found it when browsing structurally similar hits for a website with an empty directory on URLScan. All the structurally similar hits were TV-related (maybe because the original URL had TV in it) LiteSpeed webpages with an open directory on the home page.

I can’t check out the ZIP file now because I’m on phone. May have source code. I have it saved in case it’s deleted, though.

Main scam is https://cbslivestreaming.xyz/NFL-2021-Live/.

Clicking the watch thing directs me here (it can vary by click, but it’s always a website asking for some amount of personal details and sometimes notifications):

Oh, yep, it definitely has source code.

continue.php has no PHP code in it anyways lmao:

Lots of minified (not obfuscated) JS code too:


This is main.js:

Referencing random images from another site in index.html:

<meta name="lpl:d" content="c_bg=https://just-watch-it.com/storage/media/videos/tt6806448backdrop_33f2468bd8bf8f8012f0f805880954d0.jpg" />
<meta name="lpl:d" content="c_img1=https://just-watch-it.com/storage/media/videos/tt6806448poster_33f2468bd8bf8f8012f0f805880954d0.jpg" />

Reporting that site is likely a good idea. It’s very clear that they’re re-using the same scam page, so if a critical resource gets broken, many other scams will break along with it.

Google Analytics code: UA-151135141-1

If I paste the full snippet, Cloudflare says I’m performing an XSS attack and gets angry, so here’s a screenshot instead:

There are a lot of references to Imgur pictures in the fake comments section, but once again, Cloudflare says I’m hacking scammer.info when I post it, so here is a screenshot of the code:


Those may need to be reported as well.

And, yeah, continue.php is what index.html sends the victim to:

As said earlier, this is just a redirect, not any PHP code lmao:

<html>
<head>
<title>Sign Up</title>
<meta http-equiv="refresh" content="0;url=https://www.affforce.com/scripts/un981c6l?a_aid=52376d77&a_bid=3abb9298">
<!-- Histats.com  (div with counter) --><div id="histats_counter"></div>

I believe that the ad network is very likely to be complicit: https://www.affforce.com/scripts/un981c6l?a_aid=52376d77&a_bid=3abb9298

This URL literally generates scams. I could have a script open the URL over and over and over and get infinite scam websites pretty much.

Likely pay per click advertising. I think a_aid means the afilliate’s afilliate ID. This scam website gets a commission for sending people to another scam website.