Fake landing pages are already a staple of cybercriminal trickery. Hackers have created have created hundreds of Netflix and Disney+ knockoffs in recent years. The BazaLoader group has made fake sites before, too, including a convincing impersonation of a lingerie retailer. But BravoMovies really does go above and beyond.
“We have not seen an entire fake streaming site created before,” says Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. “This is a creative next level of social engineering.”
The details don’t always hold up to close scrutiny, but they give at least a light veneer of credibility to the enterprise. The BravoMovies homepage boasts of not only HD but “Full HD” and 4K streams. Its category offerings are familiar, even if the titles are decidedly not. It advertises mainstream perks like downloads for offline viewing and compatibility with a range of devices (including, confusingly, Blu-ray players).
To create convincing thumbnail posters of films, the attackers raided design-focused social network Behance for images, along with an advertising firm and a book called How to Steal a Dog. The results tilt toward the absurd, but honestly not much more so than what you might find at the bottom of your Netflix queue.
To the extent that errors do jump out, well… maybe they do for you. “We’ve seen phishing pages that are built on free website builder sites and look like a child made them, and those are still successful,” says Hassold. “If someone has gotten to the point that they’ve made it to this landing page, the small spelling errors that most people would likely see and would raise a red flag are probably not going to move the needle very much.”
The scope of the campaign remains unclear, as does its ultimate goal. As a backdoor, BazaLoader acts as a sort of staging area for more purpose-built malware that comes later. Think of it as the Bifröst bridge of Norse/MCU legend, but offering passage for ransomware rather than surly Viking gods. whatever else rather than than a a path ransomware and whatever else are the Asgardians that actually make trouble. ProofPoint says it hasn’t detected…