207 days passed between Super Bowl LIX and the first game of the 2025 NFL season and, like many of you reading this, I’ve been gleefully celebrating the return of football. After the lengthy offseason, the last barrier between me and watching my favorite sport is often a tedious one – authenticating my cable provider through the myriad of networks showing each game.
This process typically involves visiting a “cable sign-in” portal for the different networks via QR code, then navigating to my cable provider’s website for yet another authentication method. It’s easy to overlook the domains or redirects involved here – firstly because it’s a primarily mobile process and secondly because users may be trying to sign-in as quickly as possible to avoid missing kick-off. In the security world, this is a perfect scenario for manipulation. Threat actors are more than willing to exploit this process for various types of malicious activity such as harvesting login credentials, brand spoofing, and more.
In potential alignment with the 2025 NFL season along with the upcoming return of other professional sports in the US such as hockey, we’ve identified a new cluster of domains appearing to spoof activation websites for networks such as ESPN, CBS, Peacock, and more. The domains have an average Risk Score of 79, a strong indication of malicious intent.
Findings
On August 23, 2025, we observed the domain espnsportsscomtvactivate[.]info. The domain has a Risk Score of 78 and, besides using ESPN in its name, bears little resemblance to the legitimate ESPN site:
The domain also has the following attributes:
| IP Address: 147.93.154[.]194 | Name Servers: a.ns.ragaddenge[.]com b.ns.ragaddenge[.]com |
| ISP: Contabo Gmbh ASN: 141995 | Registrar: Sav[.]com, LLC |
Let’s examine those name servers first. The domain ragaddenge[.]com appears to be an India-based domain provider that, at the time of writing, acts as the name server for over 1,300 websites.
Pivoting from espnsportsscomtvactivate[.]info’s IP address reveals an additional 426 domains. From late July 2025 until the time of writing, over 40 of these domains followed similar naming conventions to espnsportsscomtvactivate[.]info. In addition to ESPN, the domains reference networks such as Paramount Plus, Hulu, PBS, Crave, CBS, Peacock, and Starz. Despite this, most of the domains display landing pages promoting generic streaming services (both sports-related and not), VPNs, and premium electronics.
While the majority of the domains use a generic WordPress template devoid of additional identifiers, one of them – espnsportsacttiivvt[.]info – includes the contact email address rmaksolutions2@gmail[.]com. A quick Google search for this email address reveals several additional websites that seem to follow the same network/streaming theme, ultimately expanding our set from 43 domains to 93 created between December 2024 and now. This set includes references to some new networks, including USA, Fox Sports, HGTV, and even some other providers such as Roku and Vizio. ESPN still makes an appearance as well, appearing alongside the familiar term “activate.”
The above domain is of particular interest as it points to the potential purpose – present or future – of all of these domains. As shown, espnsportsactvt[.]info prompts the user to activate the ESPN app on their smart TV or streaming device. They can apparently do so by entering a code on their TV screen – which presumably will fail – or by calling the provided number 833-714-9070 (interestingly enough, scrolling down farther on the page displays what appear to be the correct instructions for activating ESPN through a cable provider – even including the legitimate espn[.]com website). This number appears in multiple threads on scammer[.]info, a forum for reporting phone scams. According to a user report from May 2025, the number has been part of scams related to Roku, Amazon, eBay, Meta, and YouTube:
The same scam reports apply for two other numbers found on domains referencing Roku and HGTV:
- rokuguest[.]com
- 636-412-0268
- hgtvcomlinkk[.]info
- 888-586-9509
With this information in mind, it’s possible that these domains are all part of a tech/TV support scam with potential ties to a call center. The involvement of a call center to operate the scam is further supported by the connection to the Indian domain provider ragaddenge[.]com.
Security Recommendations
Here are some practical takeaways to avoid and prevent similar malicious activity and scams:
- For Organizations:
- Educate Users on Authentication Processes and Risks
- Train employees and customers to be vigilant when signing into streaming services and other portals
- Provide clear and consistent instructions for legitimate authentication methods directly within your applications and on your official websites
- Implement Robust Domain Monitoring and Takedown Procedures
- Proactively monitor for domain registrations that include your brand name, common misspellings, or activation-related keywords
- Watch for Call Center/Tech Support Scams Related to Your Brand
- Regularly search online forums, social media, and scam reporting sites for mentions of your brand in connection with suspicious phone numbers or “tech support” activities
- Educate Users on Authentication Processes and Risks
- For End Users:
- Verify Applications and Domain Names
- Check that you’re using legitimate applications and domains before entering any login credentials or scanning QR codes
- Never Call Unverified Support Numbers
- Only use the official support numbers listed on the website of your service provider
- Be Aware of Social Engineering Tactics
- Be cautious of attempts to rush you and create a sense of urgency (e.g., “your account will be suspended!) – take your time and verify details before following instructions or providing information
- Verify Applications and Domain Names
Stay safe out there, football fans!
