Throne made of swords showing Game of Thrones TV show used as a means for malware and phishing attacks
Pirated Game of Thrones Episodes are a Popular Means of Malware and Phishing Attacks by Scott Ikeda

Pirated Game of Thrones Episodes are a Popular Means of Malware and Phishing Attacks

To paraphrase Queen Cersei Lannister: when you pirate the Game of Thrones, you win or you get malware. Or perhaps fall victim to a phishing scam. Either way, it’s not good.

Avid fans of the fantasy series looking to get around paying HBO’s toll for the final season may be in for a very rude surprise. Hackers know that millions around the world are looking to get their hands on popular TV shows like this one for free, and they are using that interest as a vector for attacks.

This is hardly a new game, either. In 2018 – a year in which the show was on hiatus while preparing for the epic final season – Game of Thrones accounted for 17 percent of all malware passed through pirated television content. Kaspersky Lab found that 20,934 users of their services experienced some sort of attack attributed to a pirated episode of the show.

“But wait”, you might be saying, “how can hackers use a video file to compromise my computer?” There are all sorts of clever approaches, schemes as insidious as any plot ever hatched in Westeros.

How Game of Thrones phishing and malware attacks work

Video files are usually seen as a safe format, since they’re not a type of executable. Though it is theoretically possible to pass malicious code through an otherwise legitimate video file, this isn’t really something that is seen in the wild nor is it the way most Game of Thrones media hacks happen.

Instead, hackers often try to disguise executable files as video files. This is usually done behind a long episode name that ends in a standard downloadable files format for video like .avi or .mp4, but if you look carefully the file is actually an .exe. Hackers count on the pirates downloading and double-clicking directly on the file to have it automatically associate with a video player rather than opening the video player first then selecting the file. Similarly, the trojans may be in the form of shortcut files disguised as new episodes.

Another method is to host a live stream that passes malware to unsuspecting viewers in the background. This can be passed directly from the host, or it may even be inadvertent on the part of the streamer. Since these streaming sites exist in a legal grey area (at best), they are often quite liberal about the sorts of advertisements they accept to stay afloat. Hackers are well aware of this and take advantage by buying ads that they slip their malware into. A variation of this is  torrent websites running a stealth cryptominer in the background, as The Pirate Bay was caught doing in 2017.

Compressed files using the .ZIP or .RAR format in Windows should also be viewed with suspicion. A recently discovered exploit allows malware to be passed by simply opening a compressed file using WinRAR, the most widely used program for this sort of thing. No executable file inside the archive needs to be run; the act of simply opening the compressed file surreptitiously delivers a payload to the Startup folder that is executed the next time the computer boots up.

And then there are the phishing schemes. Fans who like to post publicly about the show may receive emails or private messages with links that are supposedly to a Game of Thrones episode, but will actually pass malicious files or request identity information when followed. Notorious Chinese hacking group APT17 has been tied to phishing efforts of this nature back in 2017, sending fans of the show an email entitled “Wanna see the Game of Thrones in advance?” in the wake of certain episodes being leaked.

Hackers have also managed to pass malware through the subtitle files of videos. This attack has been patched out of most of the major video players at this point, but more off-beat programs or older versions of these players may still be susceptible to such an attack.

High-risk episodes

Some episodes of each Game of Thrones season are actually more risky than others. As Paul Bischoff, privacy advocate for noted:

“According to our survey, half of US adults have searched for a pirated version of their favorite TV show. Given the prevalence of malware on torrent sites, unsanctioned streaming sites, and in pirated downloads, many Game of Thrones fans will run a high risk of infection when attempting to stream or download the new season for free.

“In particular, the first and last episodes of a season are preferred to transmit malware,” he warned. “Phishing is also a frequent threat on these dodgy sites and their advertisements.”

Kaspersky found that the first and last episodes of each season are the most likely to be infected with malware or be connected to a phishing attempt, going all the way back to the very first year the show aired. Each new episode of Game of Thrones brings new fans who want to go back to the beginning to catch up. Established fans also periodically re-watch old episodes. While both of these groups may skip some middle episodes here and there, they almost always watch the first and last while going over a previous season, and the show’s very first episode (“Winter is Coming”) was found to be the most frequently exploited. Season one of the show was also the one most frequently used for malware attacks among pirated TV shows. Around 16 million people watch the final episode of each season of the show, a number that is likely to increase substantially for the series finale.

Interestingly, while Game of Thrones is the show most frequently used for malware and phishing attacks, it was not even in the top 10 of the most frequently pirated shows in 2018. AMC’s “The Walking Dead” experienced the biggest wave of malicious activity last year, and was the second most common show to be associated with a malware attempt. There is likely to be a spike in the number of incidents in 2019, however, as no new episodes aired in 2018. That will mean an even greater amount of malware floating around out there disguised as the show’s new episodes.

The Internet is dark and full of malware

The best way to avoid falling victim to phishing attempts and malware is to not pirate episodes of the show. Admittedly, that can be a tall order for Game of Thrones fans outside of the United States. HBO’s own streaming services, Go and Now, are unavailable outside of their home country and geo-restricted in most of the rest of the world.

When you pirate the #GameOfThrones, you win or you get #malware. Or perhaps fall victim to a #phishing attack.Click to Post

However, there are workarounds for this that are generally safer than taking chances with infected pirated content (and reward the people involved with the show to boot). For example, many people use a virtual private network (VPN) to obtain a United States iTunes account and then watch the show as it airs through Apple TV. The service has a free trial period, which would be particularly advantageous for new subscribers just looking to watch the current season. This eight and final season of Game of Thrones is shortened as compared to previous years, with only six total episodes running from April 14 to May 19.