By: Julien Sobrier

The "movie" Rings

Malware

If you've recently looked for information on a movie or its trailer, you've probably stumbled upon a website which claims to provide free streaming or downloads. The promise of these sites is rather dubious since this activity would be illegal.

I've seen three main types of such movie scam sites. Here is how they work.

Spyware/Adware download

The most popular ring includes letmewatchthis.com, letbobwatchthis.com, letbobwatchthis.org, movie-source.org, letswatchsomething.com and hatfilmsite.org. They all look the same - a catalog of movies with a big "Download Now" link for each of the files.

 

One of the fake video site
 

The sites do not actually host any movie files. If a user clicks on the "Download Now" button, he is redirected to movie-watching-site.com, and then automatically to www.movie-watching-site.com.powered-by.securewebsiteaccess.com after a few seconds. There, the user is asked to download the browser plugin ClickPotato. According to the site "the ClickPotato add-on gives you FREE and unlimited access to all of the most popular TV shows and films online!"
 

Prompt to download a browser add-on
 

 This executable is actually popular spyware known as Hotbar (currently undetected by 60% of AV vendors). Nothing else can be done on this site. If a user downloads the executable (Start button), the page does not change. If a user clicks Cancel, he is redirected back to movie-watching-site.com, but returns again to the same page on www.movie-watching-site.com.powered-by.securewebsiteaccess.com. movie-watching-site.com where he is also prompted to download another spyware disguised as VLC, a popular open-source video player.

securewebsiteaccess.com is known to host a lot of malware. I've seen the the same type of page for downloading Hotbar at different sub-domains: video-streamonline.info.powered-by.securewebsiteaccess.com, messenger10-livepro-newmsn.com.powered-by.securewebsiteaccess.com, etc.

Spam SEO

dvd-eng.info uses a different technique. Legitimates sites are hacked and new spam pages with movie content are added. Like the blackhat SEO spam pages seen before, they deliver relevant content about movies to the Google bot responsible for indexing content. However, if a user accesses the same site from a Google search, they are then redirected to dvd-eng.info and then to rolly.com. rolly.com offers a paid subscription ($39.90/month) to watch movies online. I doubt that this is a legal offer, at least not in the US. The website is hosted in Netherlands.
 

Spam page redirecting users  to dvd-eng.info
 


video-bill.com

Another scam is composed of elements from both the first and second types of sites previously reviewed. This time, an array of domains with similar content are involved - full-length-movies.net, alfamovie.com, movie2people.com, movie4people.net, movies-view.com, hippomovies.com, moviepro.net, etc. These sites show thousands of movies available for monthly subscription (39.99 euros/month) on video-bill.com.

 

 

 

All sites look the same

 

 

 

 

 

 


There are no shortage of video sites with too-good-to-be-true offers. There are only a few sites which offer legal TV or film streaming or downloading (iTunes, Amazon, etc.), and even fewer with free offers (Hulu, etc.). If you see offers from other sites, be aware that you will probably end up installing spyware and/or pay for something you will not actually get.

-- Julien

 

 

Learn more about Zscaler.