Spider-Man Movie Release Frenzy Bites Fans with Credit-Card Harvesting

Attackers are using the excitement over the new Spider-Man movie to steal bank information and spread malware.  

Friday’s release of Spider-Man: No Way Home is the first post-pandemic premiere to really have all the Hollywood blockbuster accessories: superheroes, Zendaya, a healthy dose of comic book nostalgia — even its own phishing scam.

Researchers at Kaspersky warned that the release of Spider-Man: No Way Home is being used by cybercriminals to spread malware and steal banking information.

“Fans’ expectations are through the roof right now, arguably higher than for any film,” Kaspersky’s Tatyana Shcherbakova explained in a statement. “Everyone who has ever been a fan of Spidey has their own theories about the films, which can be exploited by cybercriminals.”

Infosec Insiders Newsletter

It’s hardcore Spider-Man fans, desperate to the first to see the movie or get inside information about it, who are prime targets for fake promises of an early look at the film or offers to sign up for other access to the superhero’s universe, Kaspersky’s researchers warned. Kaspersky said some of the Spider-Man phishing sites use fan art of the film’s stars to try and catch the attention of the most frenzied followers of the franchise:

Source: Kaspersky.

Some phishing sites asked for banking information in exchange for downloading sneak peeks of the movie, which turn out to be malicious video files. If accessed, the videos are filled with adware and trojans, some able to gather and modify device data, the Kaspersky researchers reported.

“Forgetting about cybersecurity, the audience is in a hurry to find out the secrets of the movie premiere, and fraudsters are using fan art and trailer cuttings as bait to make victims download malicious files and enter banking details,” Shcherbakova said.

Spidey Sense Tingling?

High emotion and excitement are key to the success of phishing campaigns. Anytime a lure can illicit an emotional response, the more likely a victim is to click.

And emotions around the premiere of the latest installment in the Spider-Man franchise have already been running hot, making it more ripe than most pop-culture events for cyber-baiting. In the runup to the film’s release, social-media controversies were easy to find.

Days before the No Way Home premiere, “Deleting Twitter” started trending on Twitter as fans announced they were leaving the platform to avoid spoilers before they could see the move themselves.

Like this:

The real spoiler? Spider-Man: No Way Home fans are being targeted, so be careful out there.

Similarly, the real-life romance between No Way Home’s stars Zendaya and Tom Holland didn’t just send tongues wagging throughout the Spidey-verse, it also sparked a debate over “short kings” dating taller women in the runup to the Friday premiere.

Zendaya is reportedly a couple inches taller than Holland and the two fielded questions about the height difference throughout the press tour that fans and fierce defenders of the couple labeled as “misogynistic.”

Once again, Spider-Man’s social media army was ready to fight.

Cybercriminals are easily able to hide their lures in this flurry of Spider-Man online activity, researchers said. In fact, it provides cybercriminals with an ideal environment to launch a successful phishing campaign.

Common sense is the best approach for defense: “We encourage users to be alert to the pages they visit and not download files from unverified sites,” Shcherbakova said.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles