I'm sharing some information here wondering if anyone can identify the criminal affiliate program at the root of this scam service.
The scam begins with what seems to be an automated bot-response posted on Facebook. One of the outstanding questions -- can anyone identify a bot that is making these spammy posts? These are a few examples from many thousands observed over the past week.
Step One: Unknown malware uses stolen Facebook credentials to post a spammy comment link.
We'll just do one walk through here, but each of these functions in the same way. The spam post, which often will be added as a comment to a publicly shared post that mentions a movie, links to a Facebook page. Let's walk through the Ogbani Wanyu post first.
Step Two: The Spam link points to a Facebook page created to share a shortened URL.
Recently popular movies have Facebook pages created that claim to offer the ability to watch full movies and share a shortened URL, usually bit.ly links, but we've also seen Goo.gl links.
Step Three: A shortened URL redirects to a Blogspot page (sometimes other types of pages)
The bit.ly shortened URL on the fake IMDB page has received 4,298 clicks as of this writing. Important to note that we've seen A COUPLE HUNDRED of these pages so far! Each shortened URL points to a different redirection page. So far about 80% of those we've traced go to Blogspot pages.
Step Four: A Blogspot page hosts a movie streaming service affiliate page
These Blogspot pages promise free streaming of many movies that are still out in the theaters. Currently these include Solo (the new Star Wars movie), Avengers Infinity Wars, Deadpool 2, Rampage, and many other movies that are very recently released in the theaters.
Some of the top affiliates in this program actually send their bit.ly shortened URL to a free ".tk" domain which then uses randomization to send the traffic to one of their dozens of Blogspot blogs. That is the situation with Gmail user firstname.lastname@example.org who has at least 50 blogs just associated to that gmail account! Each link takes the visitor to yet another movie streaming redirector site:
Step Five: Try to stream a Movie ... redirects to the streaming service and credits the affiliate
So, let's try to stream "Ant-Man and the Wasp" which, as of this writing, hasn't even been released to theaters yet.
We are now redirected to the streaming service ... in this case, the site is "box.imdbmov.com" but that is one of dozens as well. Note the "sub=doelsumbang" ... that part of the URL is revealing the affiliate name that should receive credit for the income generated from this click.
Many of the affiliate blogspot pages point to streaming services that have names similar to the old PutLocker criminal streaming service.
Step Six: Register your "Free Account"
Oops! We can't watch the movie yet! We haven't registered our "Free Account!"
Stream your favorite movies FOR FREE! Sign up FOR FREE! FREE Unlimited Access!
Step Seven: Provide your Credit Card for the Free Service!
Step Eight: Get Billed $39.95 per month
So, how much do you suppose this Free service will cost you?
That's right....$39.95 per month ... FOREVER.
But wait! I thought it was FREE!?!?!?
Did you read the Terms & Conditions? Free trials are for 24 hours, after which, they automatically convert to premium accounts, billable at $39.95 per month.
Upon completion of the free trial period, your signup to the Site will renew automatically on a monthly basis billed as stipulated in your signup process, until cancelled regardless of the length of your free trial period. Please note, prices for the service may vary depending on country, device, service offered and promotions. The first day following the expiration of your free trial period will be your anniversary date for billing purposes during your Monthly Package Term. Your Payment Method will be charged the recurring monthly package fees and any applicable sales tax on the day following the expiration of your free trial period unless you have chosen to cancel your package prior to the conclusion of the free trial period. YOU MUST CANCEL YOUR MONTHLY PACKAGE PRIOR TO THE END OF THE FREE TRIAL OFFER TO AVOID CHARGES TO YOUR PAYMENT METHOD. You will not receive any notification from Silveris s.r.o. online at the expiration of your free trial. Please note the expiration date of your free trial for your records.
The Ask: Do you know more about this scam?
If you have additional information about any parts of this scam, we'd love to hear from you. Examples of things we'd like to know:
1. Where does this program sign up affiliates?
2. What malware is making the Facebook spam comment posts?
3. Who runs the affiliate program?
Other Gaming, Movie, Book, websites offering the same scammy terms of service:
Alpha-fun.net Alphafuntime.com AngeBliss.com Angejoy.com Angel-bliss.net Animaflor.net Anima-fun.net AnimaMuse.net Aurora-star.net Aurorawin.com Blazeheaven.com Blissfulden.net Bookrefuge.net Cheerfun.net Cravebliss.com Cravemuse.com Crescentfire.net Crescentflame.com desert-star.net Dusksky.net Edenjoy.net Equi-fun.net Fairiefire.com Fairieglow.com Fairydelight.net FiestaBliss.net Filmpleasure.com Fireglows.net Fire-stars.com
Flame-paradise.com Flamestars.com Flametime.net FuegoFun.com FuegoFunlife.com Fuego-star.com FuegoZone.com FunFate.net Funhamper.com Funhoyden.com Funmuse.net Funorbit.net Funrange.net Funsphere.net Funvictory.net Glitterbliss.net Golden-orbs.com gothic-night.net HavenDay.com Havenwin.com HugeGames.net Inksmedia.com JinxedFun.com Joyorb.com Joysphere.com Lemonyfun.com LevityTime.net LuckBliss.com MarvelBliss.com Masters-media.net Medievalnight.net Moonflame.net Musenow.net Muse-park.net Musestar.net OasisPrima.com OldiesMusicCity.net Orbbliss.com Orbfun.net Orbjoy.com Palmtreefun.net Palmtreemedia.net Pixiebuzz.com Pixiefun.net PlayLatex.com Playchain.net Polkafun.net Sherglee.com Shinebliss.com SilvberOrbs.net Sparkhaven.com Spring-box.net Star-muse.com Takencheer.com Takendelight.com Twilightfun.net Twinkle-fun.net Vaultfun.net Yaydigital.net Zen-Muse.net
A Small Sampling of Blogs related to this scam: