A couple of months ago, it was a fake prescription subscription. Today, it's a fake streaming service. Either way, you get infected with real malware.
Researchers at Proofpoint report that the BazarLoader (which Proofpoint calls BazaLoader) malware crew may email you with a fake notice that your trial "subscription" to a fake streaming service called BravoMovies is about to end — and that you're about to be charged $39.95 a month.
- Chrome 91 includes 32 security fixes — why you need to patch now
- The best internet security suites
- Plus: Facebook Dark Mode just vanished — here's what Facebook says
"The entertainment-themed campaign was first observed in early May 2021 and masqueraded as a streaming entertainment service, complete with a slick website featuring fake movies," wrote Proofpoint researchers Selena Larson and Matthew Mesa in a blog post today (May 26).
"Leveraging a streaming-service cancellation lure preys on a growing trend of users cancelling online entertainment following major growth in the industry during 2020."
Naturally, you don't want to be charged for something you never signed up for, so you call the customer-support number in the email. The helpful service representative directs you to the BravoMovies website, which looks pretty professional indeed. It's even displaying posters for fake movies.
It's not the movies themselves that infect you with malware. Once you're on the site, you're meant to visit the FAQ section, where there's a page to manage your "subscribtion."
Click on "Cancel" and you're prompted to download an Excel spreadsheet. Once you take the spreadsheet out of "Protected Mode" and enable macros, the BazarLoader malware is installed on your PC.
If this sounds familiar, it's the exact same M.O. as in a previous BazarLoader campaign that told people they were about to be charged between $70 and $90 per month for fake medical-prescription subscriptions.
Other recent BazarLoader campaigns, some also involving malicious customer-support call centers, have involved bookstore orders and, for Valentine's Day, deliveries of flowers and, ahem, intimate apparel.
The BazarLoader malware is a "dropper" designed to crack open a hole in a Windows system and allow more malware to be downloaded and installed. The Proofpoint researchers didn't get to see what this particular build of BazarLoader grabs from the internet, but the dropper has been known to install the TrickBot information-stealer and Ryuk ransomware.
As before, the best way to avoid falling for this scam is to take a deep breath before calling the customer-service number in anger about the subscription plan you didn't subscribe to. A Google search will tell you there's no streaming service called BravoMovies — all we could find was a forum post from three weeks ago complaining about the scam.
If you do end up calling the number, you should get a big wake-up call when that Excel spreadsheet opens on your computer. NEVER enable macros on Word, Excel or PowerPoint files downloaded from the internet. Leave Protected Mode on. We can't stress how important this is.
Your last line of defense is, as always, to install and run some of the best Windows 10 antivirus software.