Threat actors impersonate Disney+ with considerable guile


It’s not only financial institutions and social media sites that see their brands impersonated. In a recent multi-stage attack, threat actors posed as the popular streaming service Disney+.

Abnormal Security, a San Francisco-based email security platform, said the attack on Disney+ was special because of the level of personalization and attention to detail by its perpetrators.

This made it difficult to identify the malicious emails as such. Based on Abnormal Security’s initial research done in September, the threat actor targeted 44 individuals across 22 different organizations with its impersonation attack.

The scheme was multi-stage. First, the targeted individual or organization received a seemingly auto-generated notification email informing them of a pending charge for their new Disney+ subscription.

The email said that the recipient would be automatically billed on the same day and explained that if the payment was authorized, no further steps would be required. However, if the recipient did not approve this transaction they could contact the support team.

disney-plus-email
The recipient received a seemingly auto-generated notification email informing them of a pending charge for their new Disney+ subscription. Courtesy of Abnormal Security.

Attached to each email was a PDF, the filename of which matches the name of the recipient. This personalization tactic is not often seen, given the manual effort needed to do this for each email, Abnormal Security said in their blog.

The content of the attachment was also personalized and contained details about the forthcoming charge, including the customer’s name, an invoice number, and the total amount to be paid of $49.99.

To a cautious recipient, this alone should have seemed bizarre because the charge is far more than a basic Disney+ subscription of $7.99 a month or even the premium subscription, which runs $13.99 per month.

The “customer support service” phone number was also inserted in the PDF. Should the recipient of the email have called the number, one of two things was likely to happen.

First, they would have been asked to provide sensitive personal information such as banking details or login credentials – obviously, useful for attackers who could then go on and compromise accounts.

The emails were free of misspelled words, there were no actual phishing links, and the PDF contained no extra code or malware.

“The other possibility was they would be given instructions for downloading software they were told was necessary to assist with stopping the charge but would actually infect their computer with malware,” Abnormal Security explained.

According to the cybersecurity company, this series of attacks was remarkable because of the level of sophistication and personalization the threat actors used.

For example, the attacker used a sender email of [email protected][.]com, which not only appears legitimate on its own but also mirrors the actual Disney+ email address, [email protected][.]com.

Besides, Disney+ branding and colors were incorporated. Finally, the emails were free of misspelled words, there were no actual phishing links, and the PDF contained no extra code or malware.

While the language used in each email was similar and conveyed the same message, it wasn’t identical. This could be because the attacker was conducting a test to see which variation was the most effective, Abnormal Security said.

Brand impersonation has, of course, long been a favorite tactic of cybercriminals who exploit the familiarity and reputation of well-known brands to deceive targets into providing sensitive information.

In 2022, Abnormal Security discovered 265 different brands impersonated by threat actors in credential phishing attacks over only six months.


More from Cybernews:

The future of phone scams: bots that sound like your loved ones

Book review: “A City on Mars”

Russian state-sponsored hackers exploiting Outlook vulnerability, Microsoft warns

Tipalti investigating ransomware attack claims

AI could judge if user is old enough for adult content under new UK guidance

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are markedmarked