The Streaming Wars: A Cybercriminal’s Perspective
Cyber threats aren’t relegated to the world of big businesses and large-scale campaigns. The most frequent attacks aren’t APTs and massive data breaches—they’re the daily encounters with malware and spam by everyday users. And, one of the areas where we’re most vulnerable is entertainment—particularly when we’re so used to finding everything and anything we want to watch or play for little or no money online. That’s why, last year, we took a look at how cybercriminals use popular shows to spread malware. This year we turned to a no less popular entertainment sector: streaming platforms.
2019 was officially the year the Streaming Wars kicked off, as nearly all major networks—no matter the cost—hurried to profit from consumers’ new, preferred method of consuming content: streaming platforms. It began with Apple TV +. Then Disney +. And then—the most recent addition—HBO Max—a project the network developed in an effort to make use of an $85.4 billion acquisition of Time Warner. Not to mention the slew of different local platforms that have popped up in various regions around the world. In fact, the global video streaming market is expected to be worth $688.7 billion by 2024.
For cybercriminals, the switch to streaming means a new, lucrative attack channel has opened up. In fact, just hours after Disney + was launched, thousands of users’ accounts were hacked and their passwords and emails changed. The criminals then sold these accounts online for $3-$11.
And not only new streaming services are vulnerable. Popular services launched years ago, like Netflix and Hulu, are prime targets for distributing malware, stealing passwords, and launching spam and phishing attacks. Their appeal has only increased given the spike in subscribers in the first half of the year, as many people lost their jobs and/or were relegated to staying at home. In the first quarter of 2020, Netflix added 15 million subscribers—more than double what was expected. That means at least 15 more million people are vulnerable to cybercrime against streaming services. In fact, recent research from Flixed, a service that helps you find the best cable replacement, found that more than 1 in 10 people have had their streaming account hacked.
Not only are millions of account purchasers susceptible, but so are the millions more who receive access via relatives or friends that share their passwords and an unknown number of people who attempt to gain access to these platforms at a discount or are relegated to finding other methods of viewing their content in areas where the services aren’t available.
To help make users around the world become aware of the threats—and stay protected—we’ve taken an in-depth look at the cybercrime landscape of streaming services.
In this report, we analyzed several different types of threats—malware associated with streaming platforms and the original content they release, as well as phishing emails and fake websites/login pages.
For this purpose, we utilized results from the Kaspersky Security Network (KSN) – a system for processing anonymous data related to cybersecurity threats shared voluntarily from Kaspersky users. The results display those users (mobile or PC) that encountered various threats from January 2019 until April 8, 2020.
The streaming platforms analyzed for the purposes of this report are the following:
Malware for streaming platforms
When it comes to streaming platforms, malware and other threats (like adware) are most often downloaded when users attempt to gain access through unofficial means—whether by purchasing discounted accounts, obtaining a “hack” to keep their free trial going, or attempting to access a free subscription. Many times, these unofficial links or files come bundled with other malicious programs, such as Trojans and backdoors.
Using KSN, we searched for malicious programs bundled with files that contained the name of the five streaming platforms above in the context of obtaining login credentials, a subscription, or downloading the platform for viewing. The results display those users (mobile or PC) that encountered various threats while attempting to gain access to Netflix, Hulu, Amazon Prime Video, Disney +, and Apple TV Plus through unofficial means.
We also looked specifically at account checkers—tools used to check leaked credentials (often from data breaches) in bulk across different sites. Because many people reuse account login information, leaked passwords and usernames can provide access to multiple online accounts, and account checking tools let cybercriminals determine exactly which accounts, so that they can sell access to them (or steal the financial/personal information affiliated with them).
In addition, users can access or download account checkers available online in an attempt to gain free access to streaming platforms. Of course, using these tools comes with an increased risk of encountering malware. To find out how many users encountered various threats while using accounting checking tools for the five streaming platforms above, we looked at files that downloaded various threats and contained the name of one of the streaming platform plus the keywords “checker”, “brute”, or “cracker”. The results display those users (mobile or PC) that encountered various threats while coming across account checkers for Netflix, Hulu, Amazon Prime Video, Disney +, and Apple TV Plus.
Malware for original series
In addition, we examined malware affiliated with original programming on these platforms for the same time frame. The process was the same as that for malware related to streaming platforms. Using KSN, we searched for malicious programs bundled with files that contained the name of popular original television shows.
Disney +, by April 8, had one major original content release—The Mandalorian. However, the other—particularly Netflix—have wide original content libraries. We therefore selected those most popular/highly reviewed. Since many of these platforms don’t regularly publish viewing numbers, we used public sources, such as Rotten Tomatoes, IMDB, and Metacritic to develop the following list:
- The Mandalorian
- Sex Education
- Stranger Things
- The Witcher
- Love is Blind
- BoJack Horseman
- Orange is the New Black
- Tiger King
Amazon Prime Video:
- The Expanse
- The Marvelous Mrs. Maisel
- The Man in the High Castle
- Castle Rock
- High Fidelity
- Little Fires Everywhere
- Veronika Mars
- The Handmaid’s Tale
Apple TV Plus:
- The Morning Show
The results display those users (mobile or PC) that encountered various threats via malicious files that contained one of the above shows as a lure.
- Our Key Findings:A common phishing scheme involves asking users to confirm or update their payment information for a streaming platform account. Upon doing so, cybercriminals gain access to users’ financial information (credit card info/billing details).
- No Kaspersky users encountered threats while attempting to access Apple TV Plus.
- Netflix is, by far, the platform most frequently used by criminals as a lure to trick Kaspersky users into downloading various threats, either while they attempt to gain access to the platform, modify the application, or gather login info.
- When attempting to gain access to streaming platforms, 5,577 unique Kaspersky users encountered through links that used the name of legitimate platforms—Hulu, Netflix, Amazon Prime, or Disney +—as a lure or while attackers attempted to gain credentials of these platforms’ users.
- There were a total of 23,936 attempts to infect these 5,577 users
- The most frequent threat encountered for all attacks that used the name of one of the five streaming platforms above were different types of Trojans, which made up 47% of all encountered threats.
- The greatest number of attacks registered that contained the name of Netflix as a lure, came from Germany. For Amazon Prime: the United States. For Hulu: Dominican Republic. .
- 6,661 Kaspersky users encountered malware when coming across account checkers while trying to gain access to Hulu, Netflix, Amazon Prime, or Disney +.
- There were a total of 57,784 attempts to infect these 6,661 users
- The five original shows which were most often used by malware creators to attract the attention of potential victims and lure them into installing various threats were The Mandalorian, a Disney + original, followed by Netflix’s Stranger Things, The Witcher, Sex Education, and Orange is the New Black.
- More than half of the attacks (51%) disguised as one of the five shows most frequently used as a lure came from Spain.
Phishing for credentials
One of the oldest—and most effective ways—for stealing account credentials is through phishing. These criminals might not even be after access to your streaming account. Once they have your email address and password, they can use this information for various purposes: launching other spam or phishing attacks, gaining access to your other accounts (many times, people reuse passwords), or retrieving the billing and credit card information associated with the account.
Phishing scams related to streaming platforms include creating imitations of login pages as a way to harvest credentials. And Netflix remains the most popular target. Kaspersky researchers found fake Netflix login pages in four different languages (French, Portuguese, Spanish, and English). They also found imitations of Hulu.
Fake login page for Netflix in Spanish
Fake Hulu login page
With the launch of Disney +, cybercriminals found a new target: they began creating phishing pages to target potential customers.
Phishing page urging users to register for a free Disney + account in Italian
Such phishing scams are not surprising. In 2019, Kaspersky noted that criminals were more frequently exploiting major sporting and entertainment events to launch attacks. Users are baited with offers like free access to the final Game of Thrones season; to proceed, all they have to do is create a free account—and enter their billing information. These criminals used the same scheme when Disney + was launched to try to steal financial information.
A fraudulent offer for a free 1-year subscription to Disney +. If the user continues, they are prompted to input payment details, including the security digits on their credit card
Another common, financially motivated type of attack revolves around tricking users to confirm their payment details or add their billing info. Of course, once this is done, the criminals gain access to the funds associated with the victims’ credit card and/or bank account. These attacks come both in the form of phishing pages created to look like they are from the actual platform (see below) and emails sent to users’ accounts.
Left: a fake Netflix payment page requesting a new payment method be added Right: a phishing scam asking the user to add their billing info to their Hulu account
The content of emails is similar: users are warned their payment method is either outdated or must be confirmed, and, if not done so soon, their account access or membership will be suspended. Those who fall for such scams are vulnerable to exposing their account credentials, bank account information, and credit card details.
Phishing email asking the recipient to provide a new, valid payment method for their Amazon Prime account
Phishing is an old—and often successful—method for cybercriminals to quickly and easily earn money. Given that the number of streaming service subscribers will only increase, it’s likely the number of phishing scams related to these platforms and the number of platforms targeted will only grow.
Download Your Favorite Streaming App — And Some Malware
Streaming services not only provide a prime target for spam and phishing scams, they also come in handy when trying to deliver malware. Of course, those who subscribe to streaming services through official channels and only use approved versions of the apps can, in most cases, avoid accidentally downloading malware or other threats. But those that look to receive access—by “hacking” accounts, downloading free versions, or collecting free subscriptions—are far more susceptible to downloading various threats in addition to access. Subscribers, too, are not immune. They can encounter malware when attempting to download any unofficial or modified version of the app (say, Netflix with a black, instead of a red, background). They can also fall victim to malware if cybercriminals attempt to steal their account credentials.
The number of unique Kaspersky users that encountered various threats containing the names of legitimate platforms as a lure while trying to watch popular streaming platforms through unofficial means are as follows:
Graph depicting the number of unique users that encountered various threats containing the names of popular streaming platforms while trying to gain access to these platforms through unofficial means between January 2019 and April 8, 2020 (download)
Netflix was the most common platform used by criminals as a way to lure users into downloading various threats by far, with Hulu being the second most popular and Amazon Prime the third. Only 28 users encountered various threats while trying to watch Disney + through unofficial means and none when trying to watch to Apple TV Plus.
Disney + is a newer service, which partially explains the low numbers. In addition, it’s available in far fewer countries than both Amazon Prime and Netflix—15 as opposed to more than 100. On the other hand, because Hulu is only available in the United States, anyone outside the country who wants to watch it has to do so via unofficial means—increasing their chances of encountering threats.
Apple TV Plus’ virtual absence may be due to the fact that many people received a free yearly subscription: all they had to do was buy new Apple TV hardware or any Apple device no earlier than September 10, 2019. Since most malware is downloaded when users try to gain access without a paid subscription, the more people with access to the service, the less malware that’s downloaded. While users may encounter malware while trying to convert DVD content or videos to a format that works on Apple TV, if they already have an Apple TV, they don’t need to scour unofficial sources for a way to watch Apple TV Plus.
In addition, Apple TV Plus has struggled to gain a foothold in the streaming battle. Research suggests that fewer than 10% of the users eligible for the free one-year subscription actually took advantage. And, while being available in more than 100 countries, there could be as little as 10 million subscribers. Given its relatively low popularity, it’s not surprising that it’s not a source of significant malware activity.
The total number of attempts to infect users trying to gain access to popular streaming platforms via unofficial means by using the names of these platforms as a lure was 23,936.
Graph depicting number of attempts to infect users trying to gain access to popular streaming platforms by using the names of these platforms as a lure between January 2019 and April 8, 2020 (download)
Percent distribution of different types of threats disguised under the name of popular streaming platforms encountered by users between January 2019 and April 8, 2020 (download)
The most common threat encountered by users while trying to watch streaming platforms through unofficial means (47%) is also the most dangerous—Trojan. These types of malicious files allow cybercriminals to do everything from deleting and blocking data to interrupting the performance of the computer. Some of the Trojans distributed were Spy Trojans—particularly dangerous malicious files that track the users’ actions on the infected device. With spyware, users are susceptible to having their personal files and photos collected, as well as login and password information for their financial accounts.
The second most common threat encountered was “not-a-virus“—either riskware or adware. Riskware can range from download managers to remote administration tools and adware does exactly what it sounds like—bombards users with unwanted ads.
Somewhat alarming is the sizable percentage of users that encounter backdoors. These malicious files allow criminals to gain remote control over the device and carry out nearly any tasks they desire, including making the computer part of a botnet or zombie network.
Threats Encountered Per Region
Countries with the Greatest Number of Registered Attacks: Hulu
Threats spread using the name Hulu as a lure while trying to watch the platform through unofficial means are distributed worldwide. The second greatest number of attacks came from United States, which isn’t surprising. Given that it’s a US service, it’s well-known in the country, meaning it would be popular target for cybercriminals.
Countries with the Greatest Number of Registered Attacks: Netflix
For Netflix, users worldwide encounter various threats. The greatest number of attacks came from Germany. This could be due to the fact Germany is one of the ten most popular countries for Netflix.
Countries with the Greatest Number of Registered Attacks: Amazon Prime Video
Users around the world encounter threats when attempting to watch Amazon Prime Video through unofficial means, with the largest number of attacks coming from the United States (36.5%)—Amazon’s biggest market. Germany is Amazon’s largest foreign market, which explains the high number of users that encounter various threats, and India became a major focus for Amazon in 2018. 76.5% of all attacks that contained mentions of Amazon Prime came from these five countries.
Countries with the Greatest Number of Registered Attacks: Disney +
The greatest number of infection attempts registered that used the name Disney + came from Algeria (30%). The service is not available in Algeria, meaning anyone who tries to watch it must do so illegally—increasing their chances of encountering malicious files. The same is true for Saudi Arabia.
A Closer Look at Checkers:
At the same time Disney + subscribers were finding out their accounts had been hacked and they were locked out, those same accounts started popping up on hacker forums. In fact, selling streaming service accounts on the black market is big business, dating back years. Anyone interested in purchasing a streaming service account can simply search “Free Netflix Accounts” or “Purchase Cheap Hulu Subscriptions” in their Google browser and numerous results pop up. There are whole websites dedicated to the sale of discounted account logins.
Credentials are harvested in a number of ways. The most common is through phishing emails and fake websites (see above). In 2016, Trend Micro uncovered a scheme where Netflix users were tricked into clicking on malicious links sent via email; once clicked, the attached malware automatically collected their account login information. Using this scam, the attackers collected more than 300,000 passwords that they then sold.
A common attack tool of choice for collecting credentials is what’s called an account checker. Account checkers test passwords that have been uncovered from a breach or dump site at different websites to see if they provide access to an account. Once a matching pair is found (say an email and password for a working Amazon Prime account), then the criminals can take over the account—and any financial information stored within—and sell the credentials online.
Graph depicting the number of unique users that encountered various threats bundled with account checkers for popular streaming platforms between January 2019 and April 8, 2020 (download)
Not only do professional criminals use checkers, but those simply looking for streaming account access can also encounter them, whether intentionally or unintentionally. Unfortunately, such tools often come bundled with different types of threats, including malware. Between January 2019 and April 8, 2020, 6,661 Kaspersky users encountered various threats when coming across account checkers while looking for ways to gain access to various streaming platforms. In total, there were 57,784 attempts by criminals to infect these users through account checkers. Once again, Netflix was the most targeted platform for account checkers, with 6,292 users being exposed to cyber threats in this way and 52,899 infection attempts registered.
The second most common platform for users to encounter threats when coming across account checkers was Hulu. This could, once again, be attributed to the fact that, currently, Hulu is only available in the United States. That means that, for many, the only way to gain access is by either harvesting credentials or purchasing free subscriptions.
When it comes to Amazon Prime, few users encountered threats associated with account checkers. This might be due to the subscription model of Amazon: Amazon Prime Video comes as part of a bundle for any Amazon account holder that has a Prime subscription. Those looking to gain access to Amazon Prime Video might be looking for credentials for general Amazon accounts, rather than Amazon Prime Video in particular.
No users encountered threats from account checkers associated with Apple TV Plus. Of course, this might be due to the fact that Apple was giving out free one-year subscriptions.
The threat behind original content
Streaming services like Netflix made their name not only from streaming third parties’ movies and TV shows but producing their own content. Some of Netflix’s most popular shows are originals, and it will pay an estimated $17.3 billion for original content this year. Services like Apple TV Plus followed suit; the latter invested $6 billion in its original content for the launch. For those who want to see these original shows but not pay $5-$10 dollars a month on a subscription, the only way to watch them is by downloading them from a third party. This, of course, carries a risk of downloading malware.
In terms of the number of unique users affected, the 10 original shows (among the 25 mentioned in the Methodology section of this report) most frequently used by criminals as a lure to distribute various threats, including malware, were as follows:
The Mandalorian (Disney +)
Stranger Things (Netflix)
The Witcher (Netflix)
Sex Education (Netflix)
Orange is the New Black (Netflix)
The Man in the High Castle (Amazon Prime Video)
The Expanse (Amazon Prime Video)
Fleabag (Amazon Prime Video)
Castle Rock (Hulu)
The ten original shows from Amazon Prime, Apple TV Plus, Hulu, Netflix, and Disney + most frequently used as a lure to distribute various threats and the number of unique users that encountered various threats
The show most frequently used as a lure was The Mandalorian (1614), an original show launched by Disney + in 2019. It became the platform’s first original hit, and the most in-demand streaming series in November of last year. Stranger Things (1291), followed closely by The Witcher (1076), had the second and third greatest number of users that encountered various threats, respectively. Sex Education was a distant fourth with 420. When it comes to the 10 original shows used as lure where the greatest number of users encountered various threats, 5 came from Netflix, 3 from Amazon Prime Video, 1 from Hulu, and 1 from Disney +.
Netflix has the largest catalogue of original content, so it’s not surprising that its shows would more frequently be used to disguise malicious files. Stranger Things is one of the most popular shows on the platform: the launch of its third season witnessed a record of 26.4 million viewers in just four days. The Witcher was also a huge hit for Netflix, with reportedly 76 million people worldwide watching at least the first two minutes. Sex Education, which has two seasons, had an estimated 40 million viewers for the first season.
A Closer Look at the Five Shows Most Frequently Used as a Lure:
4,502 Kaspersky users encountered malware spread under the guise of the five shows most frequently used as a lure by criminals (The Mandalorian, Stranger Things, The Witcher, Sex Education, Orange is the New Black). The first is a Disney + original, while the other four are from Netflix.
There were a total of 18,947 attempts to infect these users using the above five shows as a lure, with the greatest number of attempts using the name The Mandalorian (5855).
The distribution of the specific threats encountered are as follows:
Percent distribution of the different types of threats encountered by users disguised under the name of one of the five most popular shows used as a lure by criminals (download)
Nearly two thirds of the threats encountered (74%) were Trojans. The types of Trojans varied widely and included everything from Spy Trojans, Trojan-Droppers, and Trojan Downloaders, to Ransomware Trojans, banking Trojans (those designed to steal money from your account), and Trojan-PSWs (those designed to logins and passwords). The second most common threat encountered were “not-a-virus” files. A small number of generic malware (Dangerous Objects), backdoors, and exploits were also among the malicious programs encountered.
The countries where the greatest number of various threats distributed under the guise of these five shows were detected are as follows:
More than half attacks registered that were disguised under the name of one of the five shows most frequently used as a lure came from Spain. In March, Disney + announced that it would be entering into a strategic alliance with Spain’s Telefónica—one of the world’s largest telephone operators—to launch on the country’s biggest subscription video on demand service, Movistar Plus. Most likely, this means that Disney + has attracted significant attention in Spain, and, thus, it’s not a surprising a large number of people would want to download its most popular show. In addition, Netflix is the second largest pay-TV platform in Spain after Movistar. The ten countries where the greatest number of attacks disguised under the name of one of the five shows most frequently used as lure by criminals were registered (i.e. The Mandalorian, Stranger Things, The Witcher, Sex Education, and Orange is the New Black)
A significant portion of attacks (17.6%) came from Russia, while the third greatest number came from India. Disney + launched as part of India’s local streaming service Hotstar and was reported to have amassed 8 million subscribers by April. Netflix has also expanded significantly in India, as well, over the past several months.
The streaming wars have only just begun—and so too has the various cybercrime associated with it. The global pandemic and subsequent surge in subscribers has only provided additional impetus for cybercriminals to target these platforms.
A growing number of platforms also makes users more vulnerable to cyberattacks: the more subscriptions users have, the harder it is to monitor them for suspicious activity, especially if one is no longer used but the subscription remains active. In addition, people tend to reuse passwords, meaning if criminals gain credentials for one account, they could potentially use the same information to access other streaming accounts—and collect the personal and financial information affiliated with them as they go.
What’s more, purchasing streaming content is becoming a big expense. Each individual subscription can range from $6 to $12 a month. In fact, if you wanted access to all five of the streaming platforms analyzed here, that would cost you $36.00 dollars a month—and that doesn’t include subscriptions to any other local channels or local platforms. The more platforms there are, the more subscriptions users will need to purchase to watch all their favorite content, meaning the more they will have to spend—money they might not have. In other words, the more expensive streaming becomes, the more users will be inclined to find less expensive ways to access these services—purchasing discounted accounts, using account checkers, falling for free subscriptions scams, etc. This makes them more vulnerable to malware and other cyber threats.
In terms of the platforms most frequently used as a lure when tricking users into downloading various threats, Netflix is still, by far, the most targeted—whether it’s luring people who are trying to gain access to the platform or watch its original shows. Worldwide, Netflix has the greatest number of subscribers (it’s hard to know how many people watch Amazon Prime Video because Amazon simply counts the total number of Prime members). However, this could change as newer platforms grow their subscriber base. Disney + amassed 54.5 million subscribers in just sixth months—signaling that it could become a huge competitor to Netflix. As certain shows and platforms shift in popularity, so will the prime targets of cybercriminals attacks.
No matter the platform or the show you choose to watch, it’s important to take certain precautions to stay safe.
In order to stay safe from phishing scams related to streaming platforms, Kaspersky experts recommend:
- Look carefully at the sender’s address: if it comes from a free e-mail service or contains meaningless characters, it’s most likely fake
- Pay attention to the text: well-known companies wouldn’t send emails with poor formatting or bad grammar
- Don’t open attachments or click on links in emails from streaming services particularly, if the sender insists upon it. It’s better to go to the official website directly and log into your account from there
- Be wary of any deals that seem too good to be true, such as a “one-year free subscription”
- Do not visit websites until you are sure they are legitimate and start with ‘https’
- Once on a website, check that it is authentic
- Double-check the format of the URL or the spelling of the company name, as well as read reviews and check the domain’s registration data before starting any downloads
- Use a reliable security solution like Kaspersky Security Cloud that identifies malicious attachments and blocks phishing sites
To protect yourself from malware when trying to watch streaming platforms or their original series:
- Whenever possible, only access streaming platforms via your own, paid subscription on the official website or app from official marketplaces
- Do not download any unofficial versions or modifications of these platforms’ applications
- Use different, strong passwords for each of your accounts
- Using a reliable security solution like Kaspersky Security Cloud that delivers advanced protection on all your devices