Artful Netflix-themed phishing campaign can fool many

New WAF attack timelines show the start and end of a threat.
No more logs. See how →

A recently spotted Netflix-themed phishing email campaign is so well crafted that it’s difficult for many less tech-savvy users to spot the scam.

Extremely convincing phishing emails

The emails, purportedly coming from the online streaming service, take the form of a suspension notification.

Visually, they look very much like one expects such an email to look – Netflix design elements, no obvious spelling errors, the usual email elements:

Netflix-themed phishing

And, when the “recipient” field in the email has been merged successfully (it hasn’t in the example above), the email even addresses the recipient by name.

“The scammers are using a template system to generate individualised messages with specific recipient data. This works like a mail-merge; the body of the email is generic, but the sender field is designed to show the name of the intended victim, which personalises the scam making it more convincing,” MailGuard’s Emmanuel Marshall explains.

Clicking on the offered link takes users to a spoofed Netflix login page that, again, is an almost perfect copy of the real thing.

The victims are instructed to enter their login credentials, then are taken through several pages asking them for their billing and payment information, as well as information like date of birth, mother’s maiden name, and number of their driver’s licence.

After all this information is entered and submitted, the site shows the victims a reassuring “Your Membership Has Been Reactivated” screen.

Cleverly disguised phishing sites

The phishers “park” these phishing pages on legitimate but compromised sites (often WordPress blogs) – sites that have a good online reputation.

According to FireEye intelligence analyst Richard Hummel, other techniques the phishers use to increase the credibility and longevity of the pages are:

  • HTML pilfered from Netflix’s site;
  • Encrypted user-side HTML so that phishing scanners have a hard time spotting them;
  • Making the pages not load if the traffic comes from IP addresses known to belong to internet security monitoring groups.

Advice for users

Security-savvy users are sure to spot that the phishing pages’ URLs have nothing to do with Netflix. Unfortunately, there are always users who don’t know what to look for to identify phishing attempts.

The best piece of advice that can be given to those users is to never click on links in any email that seems to come from a popular, legitimate service they are members of. Instead, they should visit the website independently, and log in from there.

Another good way to check whether a login web page is a phishing page is to enter random, jumbled credentials in it (e.g. username: kdfjiuw0r84rfndskj, password: 248nc+sdlkf).

If the page accepts them and/or redirects you to other pages requesting more sensitive personal and payment information, it’s definitely a phishing page.

Are you protecting your users and sensitive O365 data from being leaked? Learn how Specops Authentication for O365 can help.