With the Oscars taking place this Sunday (15 March), fans can still try to watch the “Best Picture” nominees before the awards ceremony – but a leading cybersecurity expert warns that you could be wide open to forgery attacks.
Surfshark findings have found that only 15% of Google search results for the best pictures of 2026 are legitimate and safe to use, highlighting the risks of losing access to your social media accounts or even financial platforms by clicking the wrong link – especially on mobile devices or tablets.
“You do not even have to click ‘download’ to get your device infected. Simply visiting the site or clicking a fake ‘Close Ad’ button can trigger a quiet background download or redirect you to a malicious app,” explains Miguel Fornes, cybersecurity expert at Surfshark.
Surfshark analysed 2 697 Google search results for free download or streaming services of all movies nominated for ‘Best Picture’ in 2026. It found that 405 of all search results claimed in their description that people could either watch online or download the movie.
Further analysis of these 405 websites for all ‘Best Picture’ nominees revealed that only 15% of relevant search results lead to legitimate platforms like Amazon Prime, Netflix, HBO Max, or Apple TV and are safe to visit, while 52% are potentially malicious and 33% are very dangerous to visit.
“Malicious websites, because they are banned from safe ad networks, often host dangerous ads or video players containing malicious scripts,” says Fornes. “These scripts can execute a cross-site request forgery attack, silently tricking your browser into performing unauthorised actions on other sites where you are logged in and kept in the background, like changing a shipping address, granting app access, or even hijacking your home router’s DNS settings. This makes visiting such sites a serious risk for silent account and network hijacking.”
Hackers can bypass your 2-factor authentication
An analysis of search results for the movie Marty Supreme revealed that 97% of results pointed to websites identified as potential threats to users, while only 3% led to legitimate platforms.
In contrast, Frankenstein had the most legitimate results of all analysed movies, with 9% of search results leading to genuine platforms. However, 64% of the results were identified as posing a potential risk, and a significant 27% were flagged as very dangerous.
“Imagine you want to try the latest viral candy bar trending on social media, but once you go to the supermarket, 85% of the stock is contaminated or rotten,” Fornes says. “Would you risk poisoning just because of the trend? This analogy and our results are worrying, especially as people have developed a habit of using mobile devices for everything – including watching videos online. This poses extreme risk as mobile devices are often targeted by bad actors as screens are small, difficult to identify suspicious links, can’t hover a mouse over hyperlinks, and check before clicking, as mobile devices have only one option – click.
“For this reason, cookie stealing and session hijacking are perhaps the most severe threats that might happen to you,” he adds. “Instead of tricking your browser into making a forged request, attackers use different techniques to steal your active session cookies. When you successfully log into an account, the website gives your browser a unique ‘session cookie’. This acts as a convenient ‘VIP pass’ so you do not have to re-enter your password on every single page you click.
“If an attacker steals that cookie file from your device, they can load it directly into their own browser on the other side of the world,” Fornes says. “In certain conditions, it may completely bypass 2-factor authentication, since the cookie acts as an already authenticated session.”