Scammers have been using the anticipation surrounding the latest Spider–Man film to launch phishing attacks.
Spider–Man: No Way Home is set to be one of the biggest films of the year, and has been subject to months of rumours in news articles and social media posts.
With huge interest online, it’s no surprise that many people have stumbled onto phishing sites that promise visitors the chance to watch an exclusive copy of the film.
Researchers at Kaspersky reported a surge in these sites, which will remain popular with COVID-19 cases increasing and many people looking to watch the film without going to the cinema.
But with no way to stream the film online legally – despite that becoming the norm during the height of the pandemic – many people will be seeking an alternative and won’t consider the risks involved.
How does the scam work?
Visitors to the scam sites are told that they can either stream or download No Way Home for free, but they must first provide their bank details to “verify” their account.
The site “guarantee[s] that no charges will be applied for validating your account” and that “no charges will appear on your credit card statement unless you upgrade to a Premium membership or make a purchase”.
But this is simply part of the scam. Once the victim has provided their payment card details, the attackers can do what they want with the information. This typically means transferring funds to an account they own or using the stolen details to make fraudulent purchases.
In addition to credit-card harvesting, cyber criminals are enticing viewers with the prospect of downloading the film. However, those who attempt to download the file will instead receive adware or Trojans.
Commenting on the scam, Kaspersky security expert Tatyana Shcherbakova, said: “Fans’ expectations are through the roof right now, arguably higher than for any film.
“Everyone who has ever been a fan of Spidey has their own theories about the films, which can be exploited by cybercriminals. Forgetting about cybersecurity, the audience is in a hurry to find out the secrets of the premiere movie, and fraudsters are using fan arts and trailer cuttings as bait to make victims download malicious files and enter banking details. We encourage users to be alert to the pages they visit and not download files from unverified sites.”
Can you trust streaming sites?
Online streaming is an increasingly common way to watch films, but as this story demonstrates, scam sites pose a significant risk. For those looking to stay safe online, Kaspersky recommends:
- Avoiding links promising early viewings of films or TV series;
- Checking the URL of any streaming site that you visit;
- Looking at the extensions of any files that you download (videos will typically be MP4, WMV or AVI, while malware is often hidden in .exe or .msi extensions);
- Using anti-malware to alert you towards suspicious attachments.
Organisations can also protect their employees from scams by educating them on the risks of phishing.
IT Governance’s Phishing Staff Awareness Training Programme explains how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.
The content is updated quarterly to include current examples of successful attacks and the latest trends that criminals use.