Summertime has become synonymous with blockbuster movies. Unfortunately, these movies have become a go-to social engineering lure used by cybercriminals.
Just like in previous years, Trend Micro engineers searched for possible threats related to movies released during the summer. This year, 22 Jump Street was the top movie used for social engineering. Transformers: Age of Extinction and Maleficent ranked second and third, respectively. Where are these supposed streaming sites advertised? Tumblr ranks first, followed by WordPress and Blogspot.
Figure 1. Commonly used summer movie titles
Figure 2. Sites used to advertise online streaming sites
The US ranks first among the countries which accessed the movie-related URLs, followed by Australia and India.
Figure 3. Countries which visited the streaming sites
Suspicious Streaming Sites
Users can encounter these streaming sites by using choice keywords on the mentioned sites. For example, we tried looking for a streaming site for the movie How to Train Your Dragon 2 on social media and came across a page on Facebook.
Figure 4. Facebook page advertising the movie
The Facebook page features a post that contains a shortened link to the streaming site. Clicking the Play button on the page redirects the user to yet another page.
Figure 5. Redirected page
The user is encouraged to download a specific video player in order to watch the movie. However, the installer/downloaded file has been detected as adware, specifically ADW_BRANTALL.
Figure 6. “Video player” file being downloaded into the computer
The Possible Adware-Malware Connection
We found that this particular variant of ADW_BRANTALL can download unnecessary files, applications, and browser extensions into the system.
Other ADW_BRANTALL variants are known to push malware, specifically MEVADE/SEFNIT malware to computers. MEVADE malware is known for its click fraud and Bitcoin mining routines. A Trend Micro research paper, On the Actors Behind MEVADE/SEFNIT, speaks at length about this adware-malware connection. Note, however that this particular sample is not related to the ADW_BRANTALL that downloads MEVADE/SEFNIT as discussed in the said paper.
While it might be tempting to watch the latest and upcoming movies for free, users should remember that so-called copies made available online are often fakes or scams. Worse, these could be malware in disguise. It’s best to ignore temptation and just watch movies at the cinema.
Users need not to worry about such threats since Trend Micro Titanium™ Security protects systems from malicious links by highlighting these (URLS) thus preventing them (users) from clicking it in social networking sites, instant messages, and email.
As of posting, Trend Micro has informed Facebook about this incident and they already disabled accounts involved in these scams.
With analysis from Sylvia Lascano and Maela Angeles