A few months ago it was fake prescription subscriptions. Today it's a fake streaming service. Either way, you get infected with real malware.
According to Proofpoint researchers, the BazarLoader (which Proofpoint calls BazaLoader) malware crew has a trial "subscription" to a fake streaming service called BravoMovies that will soon end. and may send a fake notification via email that the user will be charged $39.95 per month.
"The entertainment-themed campaign was first observed in early May 2021, complete with a slick website featuring fake movies and posing as a streaming entertainment service." Proofpoint researchers Selena Larson and Matthew Mesa wrote in a blog post today (May 26).
"The use of lures to cancel streaming services capitalizes on the growing trend of users canceling online entertainment after the industry's significant growth in 2020.
Naturally, they don't want to be charged a fee they don't remember signing up for, so they call the customer support number provided in the email. A friendly service representative directs me to the BravoMovies website. It even displays a fake movie poster.
It is not the movie itself that infects you with malware. Upon entering the site, one is directed to the FAQ section, where there is a page to manage "subscriptions."
After clicking "Cancel," you are prompted to download an Excel spreadsheet. Once the spreadsheet is taken out of "protected mode" and macros are enabled, the BazarLoader malware is installed on the PC.
If this sounds familiar, it is the exact same M.O. as the previous BazarLoader campaign, which told people they would be charged $70 to $90 per month for a fake medical prescription subscription.
BazarLoader's other recent campaign also involved a malicious customer support call center and included bookstore orders and deliveries of flowers and intimate apparel for Valentine's Day.
The BazarLoader malware is a "dropper" designed to drill holes in Windows systems so that more malware can be downloaded and installed Proofpoint researchers believe that this particular build of BazarLoader Although they could not confirm what it retrieves from the Internet, droppers have been known to install the TrickBot information stealer and Ryuk ransomware.
As before, the best way to avoid falling for this scam is to take a deep breath before angrily calling a customer service number about a subscription plan you didn't subscribe to; a quick Google search will reveal that BravoMovies, a Streaming Service doesn't exist. All we could find was a forum post from three weeks ago complaining about the scam.
If you call that number, you should get a big wake-up call when the Excel spreadsheet is opened on your computer. Never enable macros in Word, Excel, or PowerPoint files downloaded from the Internet. Leave the protected mode on. I cannot stress enough how important this is.
The last line of defense, as always, is to install and run the best Windows 10 anti-virus software.
Comments