IT NEWS

Self-driving cars peel off an extra layer from our privacy, says security expert Bruce Schneier.

Theoretically, if you know the location of all the closed-circuit television (CCTV) cameras in a neighborhood, you might be able to move around without one of them ever catching a glimpse of your face. Although depending on where you live, that might already be hard to accomplish.

But dashcams and the recordings made by self-driving vehicles are an entirely different matter. Their locations and camera angles are unpredictable, so they may catch us off-guard at any given moment. Waymo’s sensor suite, for example, works together to construct a detailed 3D picture of the world, showing moving and still objects. You could be one of those objects without realizing it.

Schneier quotes a Bloomberg article which highlights a few cases where serious crimes and accidents were the reason for law enforcement to request camera recordings from self-driving fleets such as Waymo and Cruise. In addition to a San Francisco homicide, Bloomberg’s review of court documents shows police have sought footage from Waymo and Cruise to help solve hit-and-runs, burglaries, aggravated assaults, a fatal collision, and an attempted kidnapping.

And many will point that out as the positive side of this privacy dilemma. We want these criminals to get caught, but on the other hand we don’t like the idea of being followed around. Police have already used footage from CCTV cameras to monitor the movement of people around crime scenes and help identify suspects. As the number of self-driving cars increases, so does the number of cameras that can be used to accomplish this.

If you look at Russia, where almost every car has a dashcam due to insurance fraud reasons, no major event happens outside that isn’t caught by multiple dashcams. But this is a different problem because the dashcam footage is stored locally and can be used at the discretion of the owner. That doesn’t increase your privacy, but lessens the chance of the footage being used.

The same is true for some video doorbells and security camera’s although there have been cases where the police went over the owner’s head and asked for footage directly from companies such as Amazon.

Self-driving fleets store the recorded data for long durations to help improve their capabilities. This makes requesting the data from all the self-driving cars in an area at a certain point in time a lot easier and more effective.

The continuous recording creates an enormous amount of stored data and it’s obvious why the police have begun tapping into them for law and order enforcement. But it has already become clear that employees can’t always resist the temptation to share such footage for much less noble causes.

Last year, the EFF said:

“There are always going to be situations in which it might be expedient for public safety to be able to get around some of the usual infrastructure and be able to get footage very quickly.”

But the problem is that the people who are deciding what constitutes exigent circumstances and what constitutes the type of emergency, all of these very important safeguards, are the police, who have already decided they need the data, and tech giants like Google and Amazon that already have a bad reputation when it comes to our privacy.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Additions to Google’s Privacy Policy are making some observers worry that all of your content is about to be fed into Google’s AI tools. Alterations to the T&Cs now explicitly state that your “publicly available information” will be used to train in-house Google AI models alongside other products.

From the Privacy Policy page:

In some circumstances, Google also collects information about you from publicly accessible sources. For example, if your name appears in your local newspaper, Google’s search engine may index that article and display it to other people if they search for your name. We may also collect information about you from trusted partners, such as directory services who provide us with business information to be displayed on Google’s services, marketing partners who provide us with information about potential customers of our business services, and security partners who provide us with information to protect against abuse. We also receive information from advertising partners to provide advertising and research services on their behalf.

You may be wondering where the reference to AI comes into play here. Me too! I’ve given talks on EULAs and privacy policies regarding some of the most excessive privacy policies around. I waded through every section tied to the privacy policy page, and I couldn’t find the relevant section. It eventually had to be pointed out to me that what look like hyperlinks leading off-site are actually links to pop open additional information on the terms used.

With this in mind, going back to the above extract, we need to click on “Publicly accessible sources” to see the following:

For example, we may collect information that’s publicly available online or from other public sources to help train Google’s AI models and build products and features, like Google Translate, Bard and Cloud AI capabilities. Or, if your business’ information appears on a website, we may index and display it on Google services.

Given the controversy over AI use generally, it might not seem like the best idea to have this information be easily missed on a page where it should perhaps be a lot more prominent.

What does this mean in plain terms? In pre-AI times, if you posted something online, whether a blog, a photograph, a piece of music or something else, there’s a good chance it would end up scraped by a search engine. This is how search engines work, and this is how you find the content you’re looking for when entering search terms. 

But what Google is saying here is that from now on, all of the above will still happen. It’s just that the new addition means your text, photos, and music could end up helping to train its products and “AI models”.

As Gizmodo notes, previously it only referenced the popular Translate tool. Now Bard and Cloud AI are thrown into the mix. Bard is Google’s AI chat service, and if you were wondering: it does indeed make use of images. It ran into teething problems shortly after release, sharing false information in its own announcement. It’s no wonder that Google would try and make as much data as possible up for grabs with regard to feeding the ever-hungry AI tools with more information.

With so many AI tools doing things like falsely claiming that people have written articles or just running into copyright trouble generally, we have no real way to know if this will actually improve anything. You may have had some objections to search engines making bank from content you post online, but there is some positive return there in the form of your content being placed in front of people. Now we have AI spam posing a threat to said engines, while your content is potentially being monetised twice over with new AI policies coming into force.

Although the initial outlook for AI-generated content and scraping looks grim, it’s arguable if the current spam laden system is much better. The problem is we may just be trading one set of poor results and faulty tools for another.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

We often think of malvertising as being malicious ads that push malware or scams, and quite rightly so these are probably the most common payloads. However, malvertising is also a great vehicle for phishing attacks which we usually see more often via spam emails.

Threat actors continue to abuse and impersonate brands, posing as verified advertisers whose only purpose is to smuggle rogue ads via popular search engines. In this blog post, we review a recent phishing attack that was targeting both mobile and Desktop users looking up to track their packages via the United States Postal Service website.

A Google search returned an ad that looked completely trustworthy. Yet, it redirects victims to a malicious site that first collects their address, credit card details and, requires them to log into their bank account for verification.

This elaborate phishing scheme is a reminder that malvertising via search results remains an issue that affects both consumers and businesses who place their trust behind well-known brands.

Malicious ad looks 100% legitimate

This malvertising campaign was first spotted by Jesse Baumgartner, Marketing Director at Overt Operator. In his LinkedIn post, he shares several screenshots of his experience while attempting to track a package and instead ending up on a scam website.

We were able to immediately find this same campaign by performing a simple Google search for “usp tracking”. Incredibly, the ad snippet contains the official website and logo of the United States Postal Service and yet, the “advertiser” whose verified legal name is Анастасія Іващенко (Ukraine), has nothing to do with it.

This fake advertiser had 2 different ad campaigns, one that appears to target Mobile and the other Desktop users:

Address verification and update just a trick to get banking credentials

One may wonder how threat actors are able to use the official URL in the ad and redirect victims to their own different website. The URLs shown in the ad are pure visual artifacts that have nothing to do with what you actually click on. When you click on the ad, the first URL returned is Google’s own which contains various metrics related to the ad, followed by the advertiser’s own URL. Users never get to see this, and that is what makes malvertising via brand impersonation so dangerous.

Victims that click on the ad land on a website that asks them to enter their tracking number(s), just as they would expect it. However, upon submitting that information they receive an error stating “Your package could not be delivered due to incomplete information in delivery address.“

It is not unusual to receive this kind of notification either. Users are then asked to enter their full address again but also need to pay a small fee of 35 cents by submitting their credit card information. This is the first clue that there is something amiss here.

Victims are entering their credit card number into a phishing website. The small fee is completely irrelevant as there is much more damage that can be done by reselling this stolen data on criminal markets.

The final step consists of asking users to enter their credentials for their financial institution. The phishing page is dynamic and will generate a template based on the card number previously inputed. For example, here we have a VISA card and the associated bank is JP Morgan:

For a different card such as MasterCard, here’s the associated phishing page:

Falling for malvertising remains too easy

In the security field, we often speak about and recommend user education and training. When it comes to malvertising, awareness is important but training can only go so far. The example from this blog post shows why: malicious ads often look entirely legitimate and we can’t expect users to run queries on domain names and infrastructure to discern any malfeasance.

Brand impersonation is a huge problem and the solution to combat it starts with search engines applying stricter controls. When it comes to software downloads, one solution that comes to mind is reserving a placeholder for the official download page and never allowing an ad to take this spot. Microsoft’s Bing has done that quite well for the most part and such a policy would have a drastic impact on the safety of millions of users.

Security vendors like Malwarebytes will continue to protect their users thanks to browser protection tools available for businesses and consumers. The malvertising killchain can be disrupted from the initial ad, all the way to the payload (malware, phishing or scam). Only a full protection suite with real time protection can target those critical distribution points.

We have reported this incident to Google and Cloudflare has already flagged the domains as phishing.

Indicators of Compromise (IOCs)

logictrackngs[.]com
super-trackings[.]com
web-trackings[.]com
tracks4me[.]biz
forgetrackng[.]com

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The FTC is cracking down on fake reviews. Under the new proposed rules, organisations involved in the buying, selling, and manipulation of reviews could be very much out of pocket. Every time a consumer sees a fake review, it will carry a fine of “up to $50,000” per viewing.

From the FTC release:

Our proposed rule on fake reviews shows that we’re using all available means to attack deceptive advertising in the digital age,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The rule would trigger civil penalties for violators and should help level the playing field for honest companies.”

Fake reviews are a huge aggravation online. Quite often they’re not “just” a bogus review that doesn’t really matter. They trick you into buying substandard products. Bogus offers and deals float to the top of a site’s visibility if they have enough positive entries. People are so enamoured of the best scores imaginable that threats can follow on even when a great (and entirely real) review has been left.

Can you be certain that those eBay reviews are genuine? What about that Etsy seller? Is the unusual but one of a kind item on Amazon being floated to the top of the pile with dozens of fake reviews?

These FTC rules aim to help you find out. The range of topics covered are very comprehensive and cover all the bogus review angles you can think of:

• Selling or obtaining fake consumer reviews and testimonials: The proposed rule would prohibit businesses from writing or selling consumer reviews or testimonials by someone who does not exist, who did not have experience with the product or service, or who misrepresented their experiences. It also would prohibit businesses from procuring such reviews or disseminating such testimonials if the businesses knew or should have known that they were fake or false.
• Review hijacking: Businesses would be prohibited from using or repurposing a consumer review written for one product so that it appears to have been written for a substantially different product. The FTC recently brought its first review hijacking enforcement action.
• Buying positive or negative reviews: Businesses would be prohibited from providing compensation or other incentives conditioned on the writing of consumer reviews expressing a particular sentiment, either positive or negative.
• Insider reviews and consumer testimonials: The proposed rule would prohibit a company’s officers and managers from writing reviews or testimonials of its products or services, without clearly disclosing their relationships. It also would prohibit businesses from disseminating testimonials by insiders without clear disclosures of their relationships, and it would prohibit certain solicitations by officers or managers of reviews from company employees or their relatives, depending on whether the businesses knew or should have known of these relationships.
• Company controlled review websites: Businesses would be prohibited from creating or controlling a website that claims to provide independent opinions about a category of products or services that includes its own products or services.
• Illegal review suppression: Businesses would be prohibited from using unjustified legal threats, other intimidation, or false accusations to prevent or remove a negative consumer review. The proposed rule also would bar a business from misrepresenting that the reviews on its website represent all reviews submitted when negative reviews have been suppressed.
• Selling fake social media indicators: Businesses would be prohibited from selling false indicators of social media influence, like fake followers or views. The proposed rule also would bar anyone from buying such indicators to misrepresent their importance for a commercial purpose.

The really interesting part here is that it isn’t only the fake review posters looking at a whole lot of trouble. It’s the companies sitting in the middle who should have known reviews are fake too. The FTC is tackling this problem on all fronts, potentially reducing the wiggle-room that those involved typically use to get themselves out of trouble. In software land, “rogue affiliates” take the blame all the time and organisations which should likely also be punished get away with a light slap on the wrist. There’s nothing light about $50k per fake review viewing.

As a final warning bell to those tempted to fake it to make it, this isn’t the only financial penalty waiting in the wings. The FTC would also possess the ability to recover money directly for anyone harmed by the fake reviews.

There will be some limits, however. Social media portals and review sites themselves are free of liability unless involved in the creation of the fake reviews. The Washington Post notes that some of the big players are taking the problems caused by fake reviews seriously. Amazon blocked “more than 200 million suspected fake reviews in 2022”. Elsewhere, Yelp flagged 19% of reviews in 2022 as “not recommended”.

All the same, you often don’t have to look hard to find some bogus reviews. Will a combination of large sites continuing to police their backyards and the FTC bringing the proverbial hammer down turn the tide? Perhaps. Even with the new rules on the horizon, areas outside of the FTCs jurisdiction may not play ball. If you’re not in the US, you may experience spammy and fake reviews for some time to come.

Ultimately, as Samuel Levine of the FTC points out to The Washington Post, big review sites may be “running out of excuses”. If they have the most visibility of all of us into these issues on their sites, they’re almost certainly best placed to put an end to it. If they manage to pull it off, they can have all the five star reviews in town.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The head of a criminal network responsible for defrauding hundreds of elderly people has been arrested, Europol has announced.

After a joint operation in Germany, Poland, and the UK, Europol says the suspect was arrested in London from where he ran a network of fraudsters targeting mainly German and Polish citizens. Europol estimates that the overall damage done by the network amounts to around €5 million, and that €1.4 million of losses were prevented thanks to the successful takedown.

The fraudsters pretended to be police officers or impersonated other official authorities, calling targets to tell them one of their relatives had caused something like a car accident which resulted in injuries or the death of someone else. An accomplice, pretending to be the relative, would cry or scream into the phone frantically, begging the target to lend help.

The end goal was to get the target to hand over an amount of money to avoid the fake relative’s detention. The criminals would then send a person to collect the money at the victim’s doorstep. For this part the criminal network recruited unwitting accomplices for this task through online job platforms, in order to minimize exposure and avoid the risk of arrest of the criminals running the operation.

Targeting the elderly is nothing new, sadly. In many forms of phone scams, the perpetrators pose as close relatives of the targeted victims and pretend to have encountered financial, legal or health difficulties in order to fraudulently obtain money. Europol says:

“Crime targeting elderly citizens through scam calls, where individuals impersonate representatives of police and judicial authorities, poses a grave danger and has a profound impact on the victims. Apart from the suffered and often irrecoverable financial damage, it can cause emotional distress and a loss of trust in legitimate authorities.”

Don’t fall for them

It is important to stay vigilant and protect yourself from scam calls by following these guidelines:

• Don’t share personal or financial information with unknown or unexpected callers
• If someone is saying they are a relative of yours, check via another way—by calling them back on their own phone or other means to verify it is really them.
• Keep in mind that law enforcement and other officials will never ask for money or payments over the telephone or in person by showing up at your door.
• If you receive a call like this, hang up immediately and tell the police.

We’d also like to point out our 9 basic security tips for seniors to help you stay safe.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Last week on Malwarebytes Labs:

• A proxyjacking campaign is looking for vulnerable SSH servers
• New technique can defeat voice authentication “after only six tries”
• “Free” Evil Dead Rise movie scam lurks in Amazon listings
• Spyware app LetMeSpy hacked, tracked user data posted online
• Online safety tips for LGBTQIA+ communities
• Top contenders in Endpoint Security revealed: G2 Summer 2023 results
• Why blocking ads is good for your digital health
• Criminal secure messaging system takedown: 6500+ arrests and €900 million+ seized
• Surveillance camera insecurities argument comes to one inevitable conclusion: Always update
• Understanding ransomware reinfection: An MDR case study
• Company finds lost SSD—and confidential data—for sale on eBay
• Software company accused of illegally profiling millions of mobile phone users
• 81% concerned about ChatGPT security and safety risks, Malwarebytes survey shows
• SupremeBot and Mario cross the finish line together
• 9 basic security tips for seniors
• Malvertising: A stealthy precursor to infostealers and ransomware attacks
• OpenSSH trojan campaign targets Linux systems and IoT devices

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

If you use Brave browser, then you’re shortly going to find you have a new string added to your security bow. Websites performing port scanning will now be automatically blocked beginning with version 1.54 of the browsing tool.

Port scanning, I hear you cry? Yes indeed. You may well not have even been aware that sites do such a thing. You may expect some antics related to cookies and perhaps the occasional tracking beacon, but port scanning?

Who is doing this and why?

Well, let’s start at the beginning with a rundown of what port scanning actually is. Port scanning involves scanning a computer network for open ports, which can then be exploited by individuals up to no good to gain unauthorised access or gather information about potential system vulnerabilities. It’s worth noting that scanning is not by default a malicious activity. For example, an organisation’s IT team may do this to ensure everything is working as expected and close any potential gaps which may have been missed.

As Ars Technica notes, a 2021 list of sites compiled by a researcher makes it clear that many major sites are, or have been, involved in this practice. Brave claims that many popular browsers allow websites to “access local network resources without protection or restriction, which puts users’ privacy and security at risk.”

The issue Brave is tackling is one related to how browsers typically work. While you may think everything is being served up from the web, some aspects of what you see in a browser are being hosted by software on your computer. Browsers are allowed to access these resources, and, on top of that, some software has been built to be accessible to websites with no malicious intention behind it. From the Brave update website:

…a small but important amount of software has been built expecting to be freely accessible by websites, often in ways invisible to users. And many of these uses are benign. Examples include some wallets for cryptocurrencies, security software provided by banks or security companies, and hardware devices that use certain Web interfaces for configuration.

Now we come to the crunch. Lots of dubious software can use the access to localhost resources to get up to mischief. As Brave explains, fingerprinting scripts will try to figure out the combination of software running on your system. By doing so, someone now has a picture of you built up and can potentially track you across the web. They could also try to determine if you have some vulnerable products running on your device and then come back with an exploit.

From Brave version 1.54 and up, this will no longer be possible. Brave already blocks scripts known to maliciously scan localhost resources and block requests from public sites to localhost resources. This is what the new version will do:

• Requests to localhost resources, from a localhost context are allowed automatically; Brave does not block a locally hosted page from accessing other locally hosted resources. 1
• Brave will continue to use filter list rules to block scripts and sites known to abuse localhost resources.
• Brave will include a new permission called the “localhost” permission. Only sites with this permission will be able to make sub-resource requests to localhost resources. By default, no sites have this permission and, importantly, most sites have no way to prompt users for this permission. However, advanced users can use the existing site settings interface to grant sites this permission. 2
• Brave will also include a list of trusted sites, or sites known to access localhost resources for user-benefiting reasons. The first time a site on this list initiates a sub-request to a localhost resource, it will trigger a permission prompt of the previously mentioned localhost permission. This list is publicly available, and will be maintained by Brave.

The thinking behind this is that abuse of localhost resources is more common than it being used for beneficial actions. The Brave developers also don’t want to waste users’ time with lots of popups asking permission to do things that they expect “will only cause harm”.

Brave mentions that only Safari browser currently really does anything significant in this area, and that’s more of a “side-effect of security restrictions” rather than deliberate targeting. It remains to be seen if other browsers will jump on the localhost resource blocking bandwagon, but it probably wouldn’t be a bad thing if they do.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

In the United States, when the police want to conduct a search on a suspected criminal, they must first obtain a search warrant. It is one of the foundational rights given to US persons under the Constitution, and a concept that has helped create the very idea of a right to privacy at home and online. 

But sometimes, individualized warrants are never issued, never asked for, never really needed, depending on which government agency is conducting the surveillance, and for what reason. Every year, countless emails, social media DMs, and likely mobile messages are swept up by the US National Security Agency—even if those communications involve a US person—without any significant warrant requirement. Those digital communications can be searched by the FBI. The information the FBI gleans from those searches can be used can be used to prosecute Americans for crimes. And when the NSA or FBI make mistakes—which they do—there is little oversight. 

This is surveillance under a law and authority called Section 702 of the FISA Amendments Act. 

The law and the regime it has enabled are opaque. There are definitions for “collection” of digital communications, for “queries” and “batch queries,” rules for which government agency can ask for what type of intelligence, references to types of searches that were allegedly ended several years ago, “programs” that determine how the NSA grabs digital communications—by requesting them from companies or by directly tapping into the very cables that carry the Internet across the globe—and an entire, secret court that, only has rarely released its opinions to the public. 

Today, on the Lock and Code podcast, with host David Ruiz, we speak with Electronic Frontier Foundation Senior Policy Analyst Matthew Guariglia about what the NSA can grab online, whether its agents can read that information and who they can share it with, and how a database that was ostensibly created to monitor foreign intelligence operations became a tool for investigating Americans at home. 

As Guariglia explains:

“In the United States, if you collect any amount of data, eventually law enforcement will come for it, and this includes data that is collected by intelligence communities.”

Tune in today.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use. 

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Stalkerware-type app LetMeSpy says it has been hacked, with the attacker taking user data with it.

From the message posted to the login screen on the LetMeSpy website:

On June 21, 2023, a security incident occurred involving obtaining unauthorized access to the data of website users.

As a result of the attack, the criminals gained access to e-mail addresses, telephone numbers and the content of messages collected on accounts.

To be clear, much of the data that was stolen is the data from the phone which has the tracking app on it, which has likely been installed without the phone owner’s knowledge. That’s because LetMeSpy is often invisible to the phone’s owner. 

So as long as someone can get quick access to install an app on your Android phone, they can monitor you. Once the app is on your phone, you often can’t tell it’s there. However, in the background, it is maliciously uploading all your calls, texts, and location to the LetMeSpy servers, which is what has now been hacked.

These sorts of apps have been used by people wanting to monitor their partner’s movements, along with parents and employers.

Polish site Niebezpiecznik first reported the breach. In the database file which was later dumped online, the blog said there was:

• 26,000+ email addresses of the tool’s “operators” along with hashes of their passwords.
• 16,000+ text messages, including passwords and codes for various services
• Telephone numbers of people who had contacted the tracked phones
• Telephone numbers of the people whom the tracked phone owner had called (along with the names associated with them in the contacts list)
• Database dump in SQL format, containing more data, including locations

Spokesman Adam Sanocki for the Polish data protection authority UODO confirmed to TechCrunch that it had received a breach notice from LetMeSpy. When many breaches happen, the affected company should inform users that their data has been breached. But the users of the service here are the ones tracking people, and, sadly, it’s unlikely they’re going to let the people they are spying on know that their data has been taken.

How to prevent spyware and stalkerware-type apps

• Set a screen lock on your phone and don’t let anyone else access it
• Keep your phone up-to-date. Make sure you’re always on the latest version of your phone’s software.
• Use an antivirus on your phone. Malwarebytes for Android shows you exactly what information you’re sharing with each app on Android, so you can keep an eye on your privacy. Malwarebytes detects the LetMeSpy app as Android/Monitor.LetMeSpy.

Coalition Against Stalkerware

Malwarebytes is a founding member of the Coalition Against Stalkerware. We continue to share intelligence with the Coalition Against Stalkerware to improve industry-wide detections while also guiding the domestic abuse support networks within the coalition through thorny, technical questions of detection, removal, and prevention.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Scammers are using a novel technique with Amazon listings to trick fans of Evil Dead into downloads they may not want, and expensive rolling payments they have no interest in. Evil Dead Rise, the breakout horror film of 2023, started with big cinema numbers and has moved on to a victory lap in streaming land for good measure. In fact, it’s doing so well that the original film from 1981 has crept into the charts too:

2 Evil Dead flix top 10 in the world on HBO. Thanks, Deadites. You keep watching, we’ll keep making. pic.twitter.com/TOoTcvylkd

— Bruce Campbell (@GroovyBruce) June 27, 2023

A good time to be a Deadite. Not so good if you’re unable to catch a legitimate stream or the movie isn’t out in your region yet. If you decide to pre-order it from Amazon, you’ll see something odd nestled in the physical media section which we’ve highlighted in red. Bizarrely, there’s a podcast claiming to offer up a free version of Evil Dead Rise via streaming.

The full movie, in podcast form? I know Amazon has some pretty impressive technology but I don’t think we’re at that level just yet. The full text reads as follows:

!Streaming Evil Dead Rise 2023 Movie Evil Dead Rise 2023 Movie Warner Evil Dead Rise 2023 Pictures! Are you looking to download or watch the new Evil Dead Rise 2023 online?

If you are looking for Watch Evil Dead Rise (2023) : Full Movie Online Free, Watch Evil Dead Rise Streaming Full Movie Online Free ||Prime.

Playing the audio clip reveals about 24 seconds of generic soft rock music, presumably only present because the “podcaster” has to upload something to create a listing. To even access the audio file, you’d need to open it via an Audible account or Amazon Music.

Clicking the link redirects you through several URLs before settling on what looks like it’s about to offer you a stream of the film.

Evil Dead Rise for download or streaming, with a “Subscribe to watch: $0.00” message underneath? You can add this to the “Too good to be true” pile.

No matter what you click, on a mobile device you may be offered a download. In testing, we saw a program claiming to offer all manner of media downloads:

In another test, we were directed to an odd payment page:

I say odd, because the URL contains the word “antivirus”, which would suggest you’re potentially signing up for a security service of some kind. Despite this, there’s no clear indication of what exactly is being paid for here. Is it a security product? Am I still trying to sign up to the supposedly “free” version of Evil Dead Rise? I don’t know, but the page says this at the top:

“This is a special offer for a limited period of 3 days which comes with a £13.00 welcome gift card to explore and buy products in one of our affiliates’ websites. By acquiring this membership you will be automatically enrolled in our affiliate membership services. The membership fee amount of £29.24 which will be automatically deducted every 14 days unless skipped or cancelled.

That’s a lot of money to pay for who knows what!

Meanwhile, clicking the movie streaming link on a desktop redirects to a generic sign up page with no additional details with regard to terms and conditions or privacy policies. Sites like this typically have a rolling subscription fee mentioned somewhere in the T&Cs. There is simply no reasonable way to know what you’re signing up for here.

How to avoid bogus spam listings on Amazon

• Watch where you pay. Your typical Amazon transactions should be taking place within the main Amazon site. If you’re buying an item, watch out if you are directed to go to another URL. If in doubt, check with Amazon customer support.
• Beware of “empty” content. Ebooks and audio files which do little but ask you to go somewhere else to obtain something are almost certainly scams. A one page ebook saying “Go here”, or an audio file which is bereft of audio with hyperlinks going off-site should be treated with suspicion.

This is not the first time we’ve seen inventive uses of Amazon services to promote a scam. We’ve previously covered a range of spam ebooks on the Kindle store used to link to similar streaming services. In this case, we’ve reported the account uploading these podcasts to Amazon and users of Malwarebytes products will find they’re protected from the sites involved. Groovy.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.