BazaLoader Attackers Create Fake Movie Streaming Site to Trick Victims

The criminals behind a recent malware campaign are using an elaborate infection chain that includes creation of a fake movie streaming website.

Proofpoint researchers report the attackers associated with BazaLoader malware have created a convincing fake site for a service called BravoMovies, which goes so far as to display fake movie titles on the landing page. 

The malware campaign sends emails that contain phone numbers and references to BravoMovies. The messages warn recipients their credit card will be charged unless they cancel their subscription to the service. If the target calls the phone number provided in the email, a customer service representative will verbally guide the user to the company's alleged website.

"The website is a convincing representation of a movie and television streaming service," researchers said in a blog post. "The threat actors used fake movie posters obtained from various open-source resources including an advertising agency, the creative social network Behance, and the book 'How to Steal a Dog.'"

This campaign is part of a broader trend researchers have observed in which BazaLoader-affiliated criminals in which they use call centers as part of an intricate attack chain.

Proofpoint thinks there is a likely overlap between the distribution and post-exploitation activity of BazaLoader and threat actors behind The Trick malware, also known as Trickbot.

The details from Proofpoint can be found here