Are you a Netflix user and therefore a subscriber? Have you received a strange email asking you to update your bank details in less than 24 hours or will you lose your account? Ignore and delete it directly, because that email doesn’t come from Netflix, but from a Phishing campaign designed to steal your bank details.
Discovered by cybersecurity expert company Armorblox, the campaign is based on an email that it signs comes from Netflix Support, informing readers of a billing issue due to a failure to verify personal data. The email notes that the target’s subscription will be canceled if they don’t update their data within 24 hours, increasing the sense of urgency.
When the user clicks on the link, they are taken to a Netflix-like website with a phishing flow asking them to enter
– Netflix access credentials
– Billing Address
– Credit card details
Once completed, the user is redirected to the true Netflix home page, without anyone noticing that they are already compromised and hackers have kept their data. Why is there someone who has stung? Because of the way deception and the elements used are studied. For example:
Using a functional CAPTCHA
By clicking the link in the email, targets are first taken to a fully operational CAPTCHA page with a subtle Netflix branding (black background, red buttons). By entering the correct alphanumeric sequence, users are transported to the main phishing site.
A working CAPTCHA page makes all communication appear more legitimate. The inclusion of CAPTCHA also makes it more difficult for security technologies that rely solely on URL redirection capabilities to follow the URL to its final destination.
Both phishing pages in this attack, the CAPTCHA page and the Netflix-like site, were hosted on legitimate web domains:
– CAPTCHA page URL was ‘https [:] // wyominghealthfairs [.] Com / cpresources / d3835d8b / 1 /’, which now leads to an error page
– The main domain of this URL – wyominghealthfairs [.] Com – belongs to a real organization that is not related to Netflix or the attack in general.
– The fake Netflix website is hosted on the domain ‘axxisgeo [.] Com’, which belongs to a Texas-based oil and gas company. This domain is also unrelated to Netflix and the attack.
By hosting phishing pages on legitimate domains, attackers can evade security controls based on URL / link protection and bypass filters that block known bad domains. Attackers have likely exploited vulnerabilities in the web server or content management systems (CMS) to host these pages in legitimate primary domains without the website administrators knowing about it.
A fake but visually similar website
The fake website that simulates the Netflix home screen resembles the Netflix login page. But upon closer inspection, it is clear that the primary domain is not ‘Netflix [.] Com’ and that all links (‘Need help?’, ‘Sign in with Facebook’, ‘Sign up now’) on the page only reload the same page again. But the attackers are counting on “people falling prey to the superficial similarity of the phishing site to the Netflix website.”
The deception for users continues with the false interface and the following pages, which ask to update the billing and credit card information respectively. The following screens closely resemble those seen on the actual Netflix website. And it’s this shallow legitimacy that allows attackers to collect billing addresses and credit card details from affected users, in addition to their Netflix account details.
After all steps have been completed, the phishing scam ends with a “success” message and an automatic redirect to the actual Netflix website. This redirect can make people a little surprised and re-enter Netflix (but this time for real), not knowing that they just fell victim to a scam.