50% of video overlay ads on free live streaming (FLIS) websites prove to be malicious

Researchers from imec - KU Leuven (Belgium) and Stony Brook University (US) have conducted the first empirical study that quantifies the security risk of using FLIS services; they expose high likelihood of malware infections and getting exposed to fraudulent scams.


Around the world, millions of people use free live streaming (FLIS) services to watch sports and live events for free – over the Internet. Many users of FLIS websites are aware of the fact that the live video content on these websites is typically streamed without the consent of the content owner. What they do seem to underestimate, though, is the security risk they are running of infecting their personal devices with malware and getting exposed to personal data theft and financial scams.

"Until now, FLIS services have mostly been analyzed from a legal perspective. To the best of our knowledge, there has been no study yet that systematically analyzes the FLIS ecosystem, exposes the modus operandi of the parties that facilitate it, and empirically quantifies the threats to common Internet users who utilize these services. That is the void we have wanted to fill with our research,” explains M. Zubair Rafique (KU Leuven Department of Computer Science and imec).

Research (results)

To assess the impact of FLIS on users and expose the infrastructure of the worldwide FLIS ecosystem, researchers from imec - KU Leuven and Stony Brook University built a semi-automated tool that helped them identify more than 23,000 FLIS webpages, corresponding to more than 5,600 domain names (more than 20% of which are part of Alexa’s top 100,000 websites). Next, they performed more than 850,000 visits to the identified FLIS domains and analyzed more than 1 Terabyte of resulting traffic.

“It is a public secret that the FLIS ecosystem does not shy away from employing deceptive techniques to make money from the millions of users who utilize their services to watch live (sport) events,” says Nick Nikiforakis (Stony Brook University)“The use of malicious overlay ads is one example, whereby the video player could be covered with fake ‘close’ buttons. Those are meant to make users naively click on them, potentially exposing them to malware-laden websites.”

“Still, the outcome of our research – the first one to really quantify this threat – has been pretty confronting: next to the notable occurrence of copyright and trademark infringements, we found that in 50% of the cases a click on a FLIS overlay ad leads users to a malware-hosting webpage. We also found that the majority of the malware-hosting pages were constructed to imitate the look-and-feel of the actual FLIS services. As such, they try to deceive users and have them install malware by pretending they need special software to watch the live video stream,” concludes M. Zubair Rafique. “Chrome and Safari proved to be more vulnerable to this approach than other browsers. This can be explained by the fact that attackers are more inclined to target the more popular webbrowsers. Finally, FLIS services also appeared to employ anti-ad block scripts that attempt to detect and defeat popular ad-blocker extensions.”


Given the extent of the observed threat, the researchers have engineered a classifier that can be used – amongst others – to alert users that they are interacting with potentially dangerous FLIS pages. Or it can help security analysts find and report unknown FLIS pages in an effort to curb copyright and trademark infringements. Thanks to its accuracy and effectiveness, the classifier can readily be used in an online process to find unknown FLIS pages. A prototype is currently available to KU Leuven students; going forward, the classifier will be made publicly available for research purposes.

FLIS in the press


Share this on


This website uses cookies for analytics purposes only without any commercial intent. Find out more here. Our privacy statement can be found here. Some content (videos, iframes, forms,...) on this website will only appear when you have accepted the cookies.

Accept cookies