Attackers are exploiting the hype surrounding this year’s Oscar Best Picture nominated movies to infect fans with malware and to bait them to phishing websites designed to steal sensitive info such as credit card details and personal information. This method is the perfect way to get around movie fans’ defenses seeing that many of them are willing to take down their defenses for a chance to get a free preview, especially given that the 92nd Academy Awards ceremonies are just around the corner on February 9th. High-profile TV shows and films are frequently used as lures in social engineering attacks promising early previews either in the form of fake streaming sites or via malicious files disguised as early released copies.
And the winner is…cybercrime! The multi-billion dollar cybercrime industry shows how to pick the winners as well as the losers, who think that bootleg movie-watching is a victimless crime. When people are on the internet, they default to the delusional attitude of “It looked legitimate!” This originates from a deep-seated desire to get something for nothing. People trying to get free content think that, “after all, Hollywood can afford it, right?” It’s our job to help shake people free of these delusions.
Since I work in cybersecurity and spend my free time reviewing pre-release movies, I think I have a somewhat unique view into this world. When I get a new movie from a studio, I’m always surprised by the number of people who want me to share a copy with them, even when they don’t know what it is… they’re just excited by the idea of seeing a movie before it comes out. Something as simple as, “Sorry, I can’t get together tonight, I’ve got a new movie to watch” is followed up with, “Oh, what is it? Send me a copy.” The “I want it for free” attitude that so many people apply to the arts is disturbing. So even though I work in cybersecurity, I have a hard time feeling remorse for victims who were compromised because they were trying to steal other people’s hard work. We talk all the time about acceptable risk and threat avoidance or mitigation. People who pirate content are throwing those concepts out the window. It is well known that piracy websites are often plagued with malicious files and malvertising, yet people continue to visit them to save $4.99 on a movie rental or to see a film a few weeks before everyone else. It is telling about an individual that they’re willing to risk their personal information for a couple of bucks. When you think about it, you realize why enterprises invest in locking down systems and limit the actions of their employees. If I were an employer, I think that I’d be nervous if I had employees willing to take these risks. We always talk about user education and the layer 8 problem. A lot of the time, those of us in the industry laugh and wonder how it could be as bad as it is, because it just takes a little common sense to protect yourself, then we see stories like this, where people are so unwilling to spend a couple of dollars to rent a movie that they’d rather risk their credit history to see the movie for free. When you see this, you realize that we may never solve the human problem, because some people just don’t make sense.