This fake streaming service will spread malware — here's how to avoid it

News
By published

If you try to cancel your 'subscription,' you'll be infected

Four fake movies on the BravoMovies website, set up to induce victims to download malware.
(Image credit: Proofpoint)

A couple of months ago, it was a fake prescription subscription. Today, it's a fake streaming service. Either way, you get infected with real malware.

Researchers at Proofpoint report that the BazarLoader (which Proofpoint calls BazaLoader) malware crew may email you with a fake notice that your trial "subscription" to a fake streaming service called BravoMovies is about to end — and that you're about to be charged $39.95 a month.

"The entertainment-themed campaign was first observed in early May 2021 and masqueraded as a streaming entertainment service, complete with a slick website featuring fake movies," wrote Proofpoint researchers Selena Larson and Matthew Mesa in a blog post today (May 26). 

"Leveraging a streaming-service cancellation lure preys on a growing trend of users cancelling online entertainment following major growth in the industry during 2020."

Naturally, you don't want to be charged for something you never signed up for, so you call the customer-support number in the email. The helpful service representative directs you to the BravoMovies website, which looks pretty professional indeed. It's even displaying posters for fake movies.

The splash page of the BravoMovies website, the fake streaming service used to spread BazarLoader malware.

(Image credit: Proofpoint)

It's not the movies themselves that infect you with malware. Once you're on the site,  you're meant to visit the FAQ section, where there's a page to manage your "subscribtion." 

Click on "Cancel" and you're prompted to download an Excel spreadsheet. Once you take the spreadsheet out of "Protected Mode" and enable macros, the BazarLoader malware is installed on your PC.

The 'kill chain' of the BazarLoader infection process.

(Image credit: Proofpoint)

If this sounds familiar, it's the exact same M.O. as in a previous BazarLoader campaign that told people they were about to be charged between $70 and $90 per month for fake medical-prescription subscriptions. 

Other recent BazarLoader campaigns, some also involving malicious customer-support call centers, have involved bookstore orders and, for Valentine's Day, deliveries of flowers and, ahem, intimate apparel.

The BazarLoader malware is a "dropper" designed to crack open a hole in a Windows system and allow more malware to be downloaded and installed. The Proofpoint researchers didn't get to see what this particular build of BazarLoader grabs from the internet, but the dropper has been known to install the TrickBot information-stealer and Ryuk ransomware.

As before, the best way to avoid falling for this scam is to take a deep breath before calling the customer-service number in anger about the subscription plan you didn't subscribe to. A Google search will tell you there's no streaming service called BravoMovies — all we could find was a forum post from three weeks ago complaining about the scam. 

If you do end up calling the number, you should get a big wake-up call when that Excel spreadsheet opens on your computer. NEVER enable macros on Word, Excel or PowerPoint files downloaded from the internet. Leave Protected Mode on. We can't stress how important this is.

Your last line of defense is, as always, to install and run some of the best Windows 10 antivirus software.

TOPICS
Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.