A domain operated by 'pirate' IPTV provider PrimeStreams is causing concern among users today. Instead of displaying the usual service portal, it quickly redirects to the ominous anti-piracy warning of the Alliance for Creativity and Entertainment. However, if one looks closely at the mechanics, this is not a seizure carried out by ACE but probably the work of a malicious actor.
For the past several weeks, some ‘pirate’ IPTV services have been subjected to ‘hacks’ carried out by as-yet unidentified people.
In early December, Helix Hosting became the first reported case. Its homepage was defaced with a message explaining that the service had been asked to pay a ransom or face having its customer database leaked online.
Just a few days later, PrimeStreams became the victim of similar blackmail efforts. Its operator revealed that a weak password had been exploited and that 10 bitcoin was being demanded in order to prevent the service’s confidential data from being exposed to the world.
Unconfirmed reports indicated that other services were also targeted in December, which may or may not have settled in the face of similar threats. However, PrimeStreams’ situation appears to be ongoing as a quick visit to what used to be its main servicing domain (PrimeStreams.store) reveals a rather ominous message.
This countdown-timer message usually indicates that a domain has been taken over by the Alliance for Creativity and Entertainment, the global anti-piracy coalition headed up by the MPA. It is currently displayed on dozens of file-sharing and IPTV platforms, commonly after they have reached some kind of settlement with the world’s largest entertainment groups. Vaders and Openload are two of the most obvious examples.
Of course, seeing that message will probably be enough to send many customers running for the hills but the truth is relatively easy to uncover. This isn’t a domain seizure carried out by ACE but most probably the work of a malicious actor, as a dive into the domain’s details reveal.
As the image above shows, at the time of writing the PrimeStreams domain is using the services of Njalla, the domain registration and hosting service closely associated with Pirate Bay co-founder Peter Sunde. That doesn’t mean that Njalla has anything to do with the issue, of course, but it does indicate in a particularly clear way that ACE isn’t the entity in control here.
When ACE does take control of a domain, Openload.co for example, there are many tell-tale signs that the seizure is legitimate, including the use of the MPA’s own nameservers, redirection to certain banks of servers in the United States, not to mention contact details that relate to bodies and individuals at the MPA.
If we rule out the highly unlikely possibility that the operator of PrimeStreams redirected his own domain to ACE’s anti-piracy servers, then we’re left with a situation that was most probably engineered by a malicious actor. Whether that was the same person who threatened the site in December is unknown but losing a domain to an unauthorized third-party is an extremely serious matter.
The double-edged sword here is the involvement of Njalla. While there’s a possibility that there might be an element of sympathy at the sight of an unlawful hack (not to mention that some of the team were previously involved in The Pirate Bay and Piratbyrån), Njalla is utterly militant when it comes to the privacy of its users so may not even be able to help.
That might have played a part in PrimeStreams’ decision to dump this domain entirely and transfer to a new one. The big question, however, was whether the service had any more big security headaches waiting to kick in. Sure enough, within hours of going live, incredibly that domain was ‘hacked’ as well.
In the meantime, ACE gets yet another traffic boost.