The Bizarro streaming site that hackers built from scratch
Fake landing pages are already a staple of cybercrime deception. The crooks created hundreds of counterfeit Netflix and Disney + during the last years. BazaLoader group has already created fake sites, including convincing spoof of lingerie retailer. But BravoMovies really goes above and beyond.
“We’ve never seen a fake streaming site from scratch before,” says Sherrod DeGrippo, senior director of research and threat detection at Proofpoint. “This is a creative new level of social engineering.”
The details on the BravoMovies site don’t always stand up to scrutiny, but they do at least give the company a slight polish of credibility. The home page not only offers HD streams, but also “Full HD” and 4K streams. Its category offerings are familiar, although the titles decidedly not. It advertises common benefits like downloads for offline viewing and compatibility with a range of devices (including, confusingly, Blu-ray players).
To create compelling miniature movie posters, attackers attacked design-focused social network Behance looking for images, as well as an advertising company and a book titled How to steal a dog. The results lean towards the absurd, but honestly not much more than you might find at the bottom of your Netflix queue.
As far as mistakes arise, well… maybe they do it for you. “We’ve seen phishing pages built on free website builder sites that look like a kid’s, and these always succeed,” Hassold says. “If someone has gotten to the point of getting to this landing page, the little misspellings that most people would probably see that would raise a red flag are probably not going to move the needle very much.”
The scope of the campaign remains unclear, as does its ultimate goal. As a backdoor, BazaLoader acts as a sort of staging area for more specially designed malware that comes later. Think of it as the Bifröst Bridge of Norse legend, but offering a passage for ransomware rather than surly Viking Gods. ProofPoint says it hasn’t detected any Stage Two payload, but BazaLoader is closely linked to the group behind the notorious Trickbot malware.
The complexity of the BravoMovies method also has its drawbacks. While this is handy for bypassing email protections, it’s easier to get people to click than to call. “Because it depends so much on human interaction, that is, someone picks up the phone and makes a call, the recipient is less likely to interact with the threat actor,” says DeGrippo of ProofPoint. She adds that the BazaLoader group typically sends tens of thousands of emails in any given campaign, with broad targeting across geographies and industries.
Yet the fact that they have put in so much time and effort indicates that despite the intricacies of the system, it must work. There are more exciting heist plots. But points, at least, for the originality.
More WIRED stories