How Game of Thrones Phishing and Malware Attacks Work?


Video files are usually seen as a safe format, since they’re not a type of executable. Though it is theoretically possible to pass malicious code through an otherwise legitimate video file, this isn’t really something that is seen in the wild nor is it the way most Game of Thrones media hacks happen.

Instead, hackers often try to disguise executable files as video files. This is usually done behind a long episode name that ends in a standard downloadable files format for video like .avi or .mp4, but if you look carefully the file is actually an .exe. Hackers count on the pirates downloading and double-clicking directly on the file to have it automatically associate with a video player rather than opening the video player first then selecting the file. Similarly, the trojans may be in the form of shortcut files disguised as new episodes.

Game of Thrones - Malware

Another method is to host a live stream that passes malware to unsuspecting viewers in the background. This can be passed directly from the host, or it may even be inadvertent on the part of the streamer. Since these streaming sites exist in a legal grey area (at best), they are often quite liberal about the sorts of advertisements they accept to stay afloat. Hackers are well aware of this and take advantage by buying ads that they slip their malware into. A variation of this is  torrent websites running a stealth cryptominer in the background, as The Pirate Bay was caught doing in 2017.

Compressed files using the .ZIP or .RAR format in Windows should also be viewed with suspicion. A recently discovered exploit allows malware to be passed by simply opening a compressed file using WinRAR, the most widely used program for this sort of thing. No executable file inside the archive needs to be run; the act of simply opening the compressed file surreptitiously delivers a payload to the Startup folder that is executed the next time the computer boots up.

And then there are the phishing schemes. Fans who like to post publicly about the show may receive emails or private messages with links that are supposedly to a Game of Thrones episode, but will actually pass malicious files or request identity information when followed. Notorious Chinese hacking group APT17 has been tied to phishing efforts of this nature back in 2017, sending fans of the show an email entitled “Wanna see the Game of Thrones in advance?” in the wake of certain episodes being leaked.

Hackers have also managed to pass malware through the subtitle files of videos. This attack has been patched out of most of the major video players at this point, but more off-beat programs or older versions of these players may still be susceptible to such an attack.

High-Risk Episodes

Some episodes of each Game of Thrones season are actually riskier than others. Kaspersky found that the first and last episodes of each season are the most likely to be infected with malware or be connected to a phishing attempt, going all the way back to the very first year the show aired. Each new episode of Game of Thrones brings new fans who want to go back to the beginning to catch up. Established fans also periodically re-watch old episodes. While both of these groups may skip some middle episodes here and there, they almost always watch the first and last while going over a previous season, and the show’s very first episode (“Winter is Coming”) was found to be the most frequently exploited. Season one of the show was also the one most frequently used for malware attacks among pirated TV shows. Around 16 million people watch the final episode of each season of the show, a number that is likely to increase substantially for the series finale.

Game of Thrones - Malware is Coming

Interestingly, while Game of Thrones is the show most frequently used for malware and phishing attacks, it was not even in the top 10 of the most frequently pirated shows in 2018. AMC’s “The Walking Dead” experienced the biggest wave of malicious activity last year, and was the second most common show to be associated with a malware attempt. There is likely to be a spike in the number of incidents in 2019, however, as no new episodes aired in 2018. That will mean an even greater amount of malware floating around out there disguised as the show’s new episodes.

However, there are workarounds for this that are generally safer than taking chances with infected pirated content (and reward the people involved with the show to boot). For example, many people use a virtual private network (VPN) to obtain a United States iTunes account and then watch the show as it airs through Apple TV. The service has a free trial period, which would be particularly advantageous for new subscribers just looking to watch the current season. This eight and final season of Game of Thrones is shortened as compared to previous years, with only six total episodes running from April 14 to May 19.

2 thoughts on “How Game of Thrones Phishing and Malware Attacks Work?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.