Spider-Man Movie Release Frenzy Bites Fans with Credit-Card Harvesting

Friday’s release of Spider-Man: No Way Home is the first post-pandemic premiere to really have all the Hollywood blockbuster accessories: superheroes, Zendaya, a healthy dose of comic book nostalgia — even its own phishing scam.

Researchers at Kaspersky warned that the release of Spider-Man: No Way Home is being used by cybercriminals to spread malware and steal banking information.

“Fans’ expectations are through the roof right now, arguably higher than for any film,” Kaspersky’s Tatyana Shcherbakova explained in a statement. “Everyone who has ever been a fan of Spidey has their own theories about the films, which can be exploited by cybercriminals.”

It’s hardcore Spider-Man fans, desperate to the first to see the movie or get inside information about it, who are prime targets for fake promises of an early look at the film or offers to sign up for other access to the superhero’s universe, Kaspersky’s researchers warned. Kaspersky said some of the Spider-Man phishing sites use fan art of the film’s stars to try and catch the attention of the most frenzied followers of the franchise:

Source: Kaspersky.

Some phishing sites asked for banking information in exchange for downloading sneak peeks of the movie, which turn out to be malicious video files. If accessed, the videos are filled with adware and trojans, some able to gather and modify device data, the Kaspersky researchers reported.

“Forgetting about cybersecurity, the audience is in a hurry to find out the secrets of the movie premiere, and fraudsters are using fan art and trailer cuttings as bait to make victims download malicious files and enter banking details,” Shcherbakova said.

Spidey Sense Tingling?

High emotion and excitement are key to the success of phishing campaigns. Anytime a lure can illicit an emotional response, the more likely a victim is to click.

And emotions around the premiere of the latest installment in the Spider-Man franchise have already been running hot, making it more ripe than most pop-culture events for cyber-baiting. In the runup to the film’s release, social-media controversies were easy to find.

Days before the No Way Home premiere, “Deleting Twitter” started trending on Twitter as fans announced they were leaving the platform to avoid spoilers before they could see the move themselves.

Like this:

> to avoid spoilers, i’ll be deleting twitter until i watch no way home.
>
>
> SEE YALL ON THE OTHER SIDE!!! pic.twitter.com/ZdVQF42ats
>
>
> — jules (@webshootrs) December 14, 2021

The real spoiler? Spider-Man: No Way Home fans are being targeted, so be careful out there.

Similarly, the real-life romance between No Way Home’s stars Zendaya and Tom Holland didn’t just send tongues wagging throughout the Spidey-verse, it also sparked a debate over “short kings” dating taller women in the runup to the Friday premiere.

Zendaya is reportedly a couple inches taller than Holland and the two fielded questions about the height difference throughout the press tour that fans and fierce defenders of the couple labeled as “misogynistic.”

> Zendaya and Tom Holland couldn’t give less of a [enter expletive of your choosing here] about their height difference. pic.twitter.com/ugpWdI4yJs
>
>
> — BuzzFeed (@BuzzFeed) December 11, 2021

Once again, Spider-Man’s social media army was ready to fight.

https://twitter.com/sherrysworld/status/1470803759617957891

Cybercriminals are easily able to hide their lures in this flurry of Spider-Man online activity, researchers said. In fact, it provides cybercriminals with an ideal environment to launch a successful phishing campaign.

Common sense is the best approach for defense: “We encourage users to be alert to the pages they visit and not download files from unverified sites,” Shcherbakova said.

Check out our freeupcoming live and on-demand online town halls– unique, dynamic discussions with cybersecurity experts and the Threatpost community.