THE LATEST ENTRANT in the streaming wars doesn’t stock a deep library of classics or buzzy original series. In fact, it won’t play movies at all, no matter how many times you tap or click. But the creative minds behind BravoMovies likely aren’t deterred by those gaffes. They’re criminal hackers, and their goal is not to deliver a rich home entertainment experience but to deposit malware on your computer.
The BravoMovies campaign, spotted by researchers at security firm ProofPoint, has been around since at least early May. While many of its elements seem absurd at a glance—the posters for nonexistent movies, the wince-inducing typos—it shows just how far hackers are willing to go to ensnare their victims.
When you think of phishing campaigns, to the extent that you do at all, you probably picture email attachments laced with malware. Trouble is just a click away. But email services have gotten better at keeping suspicious messages out of your inbox, making it harder for scammers to pull off such cons. Sidestepping those defenses increasingly takes some creativity—and effort, if the group behind BravoMovies is any indication.
Their fake streaming service is just one part of a convoluted, seven-step process to deliver a so-called backdoor called BazaLoader. They start with an email, sure. But it contains no malicious links, no tainted attachments that Gmail’s sensors could sniff out. Instead, it simply informs you that your free trial period on BravoMovies—“amongst the major streaming services on the planet!”—is coming to an end, and that your credit card is about to be charged for the “premium plan.” It helpfully provides a phone number to call if you’d like to cancel.
Calling the number puts you in touch with a call center controlled by the group; the agent at the other end of the line directs you to the BravoMovies site, where you can find thumbnails for enticing films such as Women’s and The Dog Woof. The FAQ section of the site explains that you can “easily cancel your account” in two clicks. The first of those clicks downloads an Excel file to your computer. The second enables macros on the file, which in turn installs BazaLoader on your computer.
It clearly took some work to set up—which says something about the current malware delivery ecosystem. “Criminals are inherently lazy. They’re going to do the least amount of work possible to make money,” says Crane Hassold, senior director of threat research at the email security firm Agari. “The fact that they have to waste this much time to execute the malware shows how little return on investment they’re getting from traditional email delivery.”
Fake landing pages are already a staple of cybercriminal trickery. Scammers have created hundreds of Netflix and Disney+ knockoffs in recent years. The BazaLoader group has made phony sites before too, including a convincing impersonation of a lingerie retailer. But BravoMovies really does go above and beyond.
“We have not seen an entire fake streaming site created before,” says Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. “This is a creative next level of social engineering.”
The details on the BravoMovies site don’t always hold up to close scrutiny, but they give at least a light veneer of credibility to the enterprise. The homepage boasts of not only HD but “Full HD” and 4K streams. Its category offerings are familiar, even if the titles are decidedly not. It advertises mainstream perks like downloads for offline viewing and compatibility with a range of devices (including, confusingly, Blu-ray players).
To create convincing thumbnail posters of films, the attackers raided design-focused social network Behance for images, along with an advertising firm and a book called How to Steal a Dog. The results tilt toward the absurd, but honestly not much more so than what you might find at the bottom of your Netflix queue.
To the extent that errors do jump out, well … maybe they do for you. “We’ve seen phishing pages that are built on free website builder sites and look like a child made them, and those are still successful,” says Hassold. “If someone has gotten to the point that they’ve made it to this landing page, the small spelling errors that most people would likely see and that would raise a red flag are probably not going to move the needle very much.”
The scope of the campaign remains unclear, as does its ultimate goal. As a backdoor, BazaLoader acts as a sort of staging area for more purpose-built malware that comes later. Think of it as the Bifröst bridge of Norse legend, but offering passage for ransomware rather than surly Viking gods. ProofPoint says it hasn’t detected whatever that second-stage payload is, but BazaLoader is closely linked to the group behind the notorious Trickbot malware.
The complexity of the BravoMovies method also has its drawbacks. While it’s handy for getting around email protections, it’s easier to get people to click than to call. “Because it relies so much on human interaction—that is, someone to actually pick up the phone and make a call—there is a lower likelihood of the recipient engaging with the threat actor,” says ProofPoint’s DeGrippo. She adds that the BazaLoader group typically sends tens of thousands of emails in a given campaign, with broad targeting across geographies and industries.
Still, the fact that they put in so much time and effort indicates that, despite the intricacies of the scheme, it must be working. There are more exciting heist plots out there. But points, at least, for originality.