The latest entrant in the streaming wars doesn’t stock a deep library of classics or buzzy original series. In fact, it won’t play movies at all, no matter how many times you tap or click. But the creative minds behind BravoMovies likely aren’t deterred by those gaffes. They’re criminal hackers, and their goal is not to deliver a rich home entertainment experience but to deposit malware on your computer.
The BravoMovies campaign, spotted by researchers at security firm ProofPoint, has been around since at least early May. While many of its elements seem absurd at a glance—the posters for nonexistent movies, the wince-inducing typos—it shows just how far hackers are willing to go to ensnare their victims.
When you think of phishing campaigns, to the extent that you do at all, you probably picture email attachments laced with malware. Trouble is just a click away. But email services have gotten better at keeping suspicious messages out of your inbox, making it harder for scammers to pull off such cons. Sidestepping those defenses increasingly takes some creativity—and effort, if the group behind BravoMovies is any indication.
Their fake streaming service is just one part of a convoluted, seven-step process to deliver a so-called backdoor called BazaLoader. They start with an email, sure. But it contains no malicious links, no tainted attachments that Gmail's sensors could sniff out. Instead, it simply informs you that your free trial period on BravoMovies—“amongst the major streaming services on the planet!”—is coming to an end, and that your credit card is about to be charged for the “premium plan.” It helpfully provides a phone number to call if you’d like to cancel.