Windows Movie Maker scam spreads massively due to high Google ranking

Scammers have been surprisingly successful at distributing a modified version of Windows Movie Maker that aims to collect money from unaware users. The spread of the scam (which itself is far from new) has been boosted by search engine optimisation of the crooks’ website, as well as continuing demand for Windows Movie Maker, Microsoft’s free video editing software, discontinued since January 2017.

At the time of writing, the website spreading the modified software, ‘windows-movie-maker.org’, comes up as one of the top results when searching for “Movie Maker” and “Windows Movie Maker” on Google (using this browser, it ranks as number one in the majority of countries with the highest number of internet users). On Bing, the search engine with the second largest global market share, the website is also placed on the first page of results.

Figure 1 – High Google ranking for the scam website

ESET security products detect the scam as Win32/Hoax.MovieMaker and block the website distributing it. We have notified both Google and Microsoft about the fraudulent nature of the high-ranking website (which was registered back in 2010).

As a consequence of the website’s high search engine ranking, the crooks behind the scam have managed to reach a global “audience”, with the modified Windows Movie Maker emerging among the most prevalent threats in ESET’s telemetry in the past few days.

Figure 2 – The scam website

On November 5, 2017, Win32/Hoax.MovieMaker was the third most detected threat worldwide and the number one threat in Israel. As of November 6, our telemetry recorded many detections in the Philippines, in Israel, Finland and Denmark.

Figure 3 – Win32/Hoax.MovieMaker as the third most prevalent threat worldwide

How the scam works

When users install the software offered on the above mentioned website, they get a functioning Windows Movie Maker. However, unlike the official and free Windows Movie Maker by Microsoft, this one claims to be a trial version that needs to be upgraded to a full version in order to offer all features.

The user is repeatedly prompted to purchase the full version, first when the software is launched and later when the user tries to save a new document. In the latter case, the prompt prevents the user from continuing, making it appear as if saving a document was a paid feature.

Figure 4 – Payment prompt displayed by the modified Movie Maker upon saving a document

The price requested for the fake upgrade is set to $29,95 (€2570.26) in what is presented as a 25% discount on the payment website used by the crooks.

How to stay safe

If you’ve already installed the Movie Maker offered on windows-movie-maker.org, uninstall it and run a scan using a reputable antimalware solution.

Figure 5 – Payment website used by the scammers

To avoid falling victim to similar scams, always stick to official sources when downloading software. If you really need to use a piece of software that’s no longer distributed by its original maker, make sure you:

    • Use a reliable security solution to detect and block malicious content.
    • Consider using the official replacement for the discontinued software – in this case, Windows Story Remix.
    • Don’t pay for software that is or was officially offered for free. Information on software pricing should be available online.

Comment on this article below or via Twitter: @ VanillaPlus OR @jcvplus

RECENT ARTICLES

Phoenix Tower International gains investment from Grain and BlackRock

Posted on: March 29, 2024

Phoenix Tower International (PTI) has announced that Grain Management (Grain), through its flagship funds, and BlackRock, through a fund managed by its Diversified Infrastructure business (BlackRock) have made an investment

Read more

Connectbase expands baltic connectivity with Bitė partnership

Posted on: March 28, 2024

Connectbase has announced the addition of Bitė to its ecosystem. This partnership marks a step forward in enhancing connectivity options within the Baltic region, providing a link between local and

Read more