Skip to main content

'Free' downloads of Oscar-nominated movies are actually nasty bundles of malware

Joker
(Image credit: Warner Bros.)

Security researchers at Kaspersky have found hundreds of sites hosting bundles of malicious software, presented as free downloads of this year's Oscar-nominated movies. They also discovered a slew of phishing sites that tricked users into entering confidential information and even credit card details, using films including 1917 and Jojo Rabbit as bait.

With the Oscars awards ceremony due to take place on February 9, criminals are exploiting people's increased interest in the nominees for Best Picture. According to Kaspersky's report, Joker was the movie most commonly used to lure victims into downloading malware and handing over their bank details.

Malicious downloads typically start to appear around the time movies arrive on real streaming sites, as people start searching for other ways to watch them online. 

"Cybercriminals aren’t exactly tied to the dates of film premieres, as they are not really distributing any content except for malicious data,” said Kaspersky malware analyst Anton Ivanov.

"However, as they always prey on something when it becomes a hot trend, they depend on users’ demand and actual file availability. To avoid being tricked by criminals, stick to legal streaming platforms and subscriptions to ensure you can enjoy a nice evening in front of the TV without having to worry about any threats."

Oscar bait

The best way to protect yourself from such malware attacks is to play by the rules, and only stream movies from legitimate sites and services such as Netflix, Amazon Prime Video, Hulu or Disney+ (we've assembled a guide to all the best streaming services to help you choose).

Before trying a new site or service, do some research to check that it's legitimate, and remember that if it seems too good to be true, it almost certainly is.

Phishing websites can be hard to spot, and are sometimes nearly identical to the sites they're impersonating. Always take a good look at the address bar to see which domain you're actually on, and don't click links from unknown sources in emails (instead, visit the site directly by typing its URL).