04 May 2019
How fraudsters can dupe you with free 'Avengers: Endgame' download
Marvel's epic 'Infinity' saga is coming to an end with Avengers: Endgame, the movie that released last Friday and is already on track to become one of the highest grossing Hollywood movies.
But, as it turns out, the hype around Endgame is so much that scammers have started using the movie as a way to dupe unsuspecting internet users.
Here's how that is happening.
Scammers using free 'Endgame' downloads to trick people
Avengers: Endgame has got so much interest that a number of people have turned to the internet to grab the recently leaked version of the movie.
But, here's the thing, scammers are aware of this.
They have started creating malicious websites promising free download or streaming of the movie but are actually laying a trap to trick unsuspecting users into giving their confidential details.
Sign-in prompt steals confidential details
Security giant Kaspersky Labs has reported that scammers' websites redirect users to sign-in or create an account, as and when they make an attempt to download or stream the movie.
The prompt for sign-in seeks basic information without asking for money, but when users create an account, they give away their email and set a password.
This information directly goes to the fraudsters.
This opens gates for attacks
With emails and passwords at hand, scammers get an opportunity to carry out automated credential stuffing attacks.
Essentially, they can try the stolen email-password combinations across different sites in hopes of getting hold of several email, banking, or social media accounts.
This basically puts every compromised user who uses the same email-password combination for different services at risk.
Downloading movies from unofficial sources isn't recommended
Now, this is just one of the many reasons why security experts don't recommend downloading content from unofficial sources.
Such sites can even download malware on your machine in the garb of an interesting new movie like Avengers: Endgame.
And, even if you're not downloading a movie, watch out for suspicious sites and don't give away your personal information on any random page.
Some sites even sought credit card details
Some of the websites highlighted by Kaspersky team also sought credit card details, including CVV. However, most of the users returned back to search results after seeing this prompt, the security experts added.
Here's what Kaspersky said about the attack
"It's a pretty safe bet that at least some of the email and password combinations collected by scammers on this website will match account credentials on other websites - online shops, gaming or streaming services, e-mail accounts, social media, you name it."