Fake landing pages are already a key component of deceiving cybercriminals. scammers created Hundreds of Netflix and Disney + Replicas In the last years. The BazaLoader group has created fake websites before, too, including a disguised lingerie plagiarism. retailer. But BravoMovies really goes above and beyond.
“We’ve never seen a completely fake streaming site set up before,” says Sherrod Degrepo, senior director of threat research and detection at Proofpoint. “This is the creative next level of social engineering.”
The details on BravoMovies don’t always stand up to close scrutiny, but they do at least give a slight semblance of credibility to the establishment. The homepage boasts not only HD streaming but “Full HD” and 4K streaming. Its category offerings are familiar, even if the titles aren’t. It advertises mainstream perks such as downloads for offline viewing and compatibility with a range of devices (including, confusingly, Blu-ray players).
To create compelling miniature posters for movies, attackers raided the design-focused photo social network Behance, along with an advertising company and book called how to steal a dog. The results lean toward the absurd, but honestly nothing more than what you might find at the bottom of your Netflix queue.
To the point where bugs jump out, well…maybe they do it for you. “We’ve seen phishing pages created on free website builders that look like a kid made them, and they’re still successful,” Hasold says. “If someone gets to the point where they get to this landing page, the little misspellings that most people are likely to see and raise a red flag probably won’t move the needle much.”
The scope of the campaign remains unclear, as is its ultimate goal. As a backdoor, BazaLoader acts as a kind of staging area for more purpose-built malware that comes later. Think of it as the Bifröst Bridge of Norse myth, but it provides a pathway for ransomware rather than evil Vikings. ProofPoint says it hasn’t detected any of the second-stage payload, but BazaLoader is closely linked to the group behind the popular Trickbot malware.
The complexity of the BravoMovies method also has its drawbacks. While it’s useful for getting around email protection, it’s easier to get people to click rather than call. “Because it relies so much on human interaction – that someone actually picks up the phone and makes a call – there’s less chance that the recipient will come into contact with a threat actor,” says DeGrippo of ProofPoint. She adds that the BazaLoader group typically sends out tens of thousands of emails on a given campaign, with broad targeting across geographies and industries.
However, the fact that they put in so much time and effort suggests that despite the complexities of the scheme, it should work. There are more exciting heist schemes out there. But points, at least, for originality.
More great wired stories