There are hackers who go one step further, and try to emulate these types of platforms to the maximum in order to convince users to install malware on their computer. Now, a platform is posing as one of these services.
This is what the cybersecurity company Proofpoint is warning about. The company first observed the appearance of the campaign in May this year, posing as a streaming website with a well-designed website and fake movies.
Instead of offering movies, the web distributes the BazaLoader , which, although it may seem inert at first, actually has the ability to download and install additional modules on the victim’s computer. For this reason, many attackers are using it to download modules with such dangerous ransomware as Ryuk and Conti.
BravoMovies: a fake movie website
The main distribution route for BazaLoader is through BravoMovies . Potential victims receive an email telling them that their free trial period is ending shortly, and that they will be charged $ 39.90 per month if they do not unsubscribe from BravoMovies.
That streaming platform doesn’t really exist, and email seeks to scare users into calling a phone number. In that issue users are guided through the web, which seems real, with movie covers, a FAQ, price details, and the supposed free trial.
When the user enters section to unsubscribe, they are asked to download an Excel spreadsheet. When they open it, the document asks them to “activate the content”, and from there they start executing macros that download the BazaLoader.
Grammar mistakes or fake websites: check emails
The attackers clearly know that many users have subscribed to streaming platforms during the pandemic, and in some cases they may have forgotten one of those platforms. Therefore, they seek to scare users so that they quickly go to the fake website and cancel the subscription.
As always happens with these types of attacks, it is important to know the type of mail that reaches us, and if we have really subscribed to this service. A simple Google search shows us that the web does not exist. Checking the email for strange language is also an important sign that it is a fake email. For example, “We lucky you’ve loved it” is clearly misspelled, where many of these hackers do not have English as their first language, and they make numerous spelling and grammatical mistakes. Knowing how to protect yourself from ransomware is also important.
The attackers used various domains, such as urbancinema.net, bravomovies.net, and bvcinema.net. None of them work anymore.