Marvel Studio’s long-awaited superhero juggernaut Avengers: Endgame, represents the second-largest worldwide box-office haul for any film, ever – raking in $2.2 billion in its first two weekends. With demand like that, perhaps it’s not surprising that enterprising scammers are already luring in victims with promises of free digital downloads for the blockbuster.
According to Kaspersky Lab researchers, scam sites have cropped up across the internet, promising the ability to “download the Avengers: Endgame full movie.”
They explained in a post last week that “streaming actually begins without incident. But soon after it starts, a message pops up to demand the user create an account.”
The “free” account captures a user name and password – potentially useful to cybercriminals, given the rampant practice of password re-use. But a second screen then asks for billing information and full credit-card details, including the CVC code. The site purports to need the information simply to verify geography and to make sure the service is “licensed to distribute” the movie in the region of the user. But of course, it’s merely a smokescreen in order to lift the information for nefarious purposes.
“There is no movie,” the researchers said. “The few seconds of genuine content that scammers streamed was just part of the movie trailer. And the information the user provided ends up in scammers’ hands. And those accounts are valuable for online scammers. They can be used for stealing money or digital valuables, for laundering stolen funds and items, or at the very least for spamming.”
As always, to avoid a cybersecurity endgame, people should always beware the deal that seems too good to be true.
“Social-engineering methods are aimed at exploiting people’s emotions,” said Tatyana Sidorina, security researcher at Kaspersky Lab, via email on Monday. “An influential and much-loved franchise with an enormous global fan base seems like the perfect target. The temptation to take a few security shortcuts in order to be able to watch a long-awaited movie and not have to worry about spoilers or sold-out tickets can prove irresistible to loyal fans; that is what the attackers prey on.”
Scam activity has gone high-profile of late: Just last week, a Catholic church in Brunswick, Ohio was scammed out of $1.75 million as a result of a business email compromise (BEC) attack; and a scammer pretending to be Jason Statham tricked a vulnerable and unsuspecting fan out of a significant amount of money.
Also recently, GoDaddy worked with researchers to shut down 15,000 domain-shadowing websites tied to bogus affiliate marketing offers promoted via spam campaigns — most sites were peddling snake-oil remedies and fake products.