Bad actors star in Netflix phishing scam

With 220 million paid subscribers, the popular streaming service was always going to be a juicy target for scammers – and that’s just what a threat group identified by one cyber-watchdog has been seeing it as.

“What better place for a phish to hide than in a stream? A streaming service, that is,” said INKY, announcing its latest findings. Accessible in more than 190 countries and 30 languages, Netflix is fertile grounds for real-life villains looking to score with a social engineering campaign.

“Over the past few years, Netflix customers have been warned about numerous phishing threats, most of which share a common theme – credential harvesting,” said INKY. “Scammers send phishing emails trying to convince Netflix users that their account is somehow in jeopardy, and rectifying the situation calls for them to update their credit card details and other personally identifiable Information (PII).”

The latest instance uncovered by INKY in August entailed just such a plot, with an extra twist: in this case, PII data harvesting was augmented by the use of zipped files to compress malicious HTML attachments.

“The malicious site is hosted on a victim’s local machine instead of the internet,” said INKY. “Standard URL reputation checks are avoided, and phishing content can’t be detected since it’s not on the internet. Using zip files is another advantage because it’s not in an executable format that can be seen.”

Stick with me kid, I’ll make you poor…

This cunning approach reflects the continuing evolution of social engineering ploys, from the straight-to-video bargain basement cons of yesteryear to today’s A-list superstar scammers.

“There was a time when brand fraud attempts were easier to catch because they contained many telltale signs of phishing,” said INKY. “Multiple typos, strange word choices, suspicious URLs, and odd-looking logos provided insight to the recipients of these malicious emails. But times have changed. Cybercrime gets more sophisticated every year, with no signs of stopping. Today, many telltale signs of a brand impersonation are so cleverly hidden that even the most discerning eye can’t recognize them.”

In the thrilling latest installment of INKY’s Fresh Phish research project, the bad guys turned in another bravura performance, spoofing sender email addresses to make it look like the phishing messages came from Netflix.

An international production, the scam roped in unwitting collaborators from all around the world, including an “abused mail server” from a university in Peru, an internet protocol address belonging to a private firm in Germany, and another hijacked machine affiliated with a construction company in Pakistan.

Screenshot of credential scamming email message
Screenshot taken by INKY of a typical scam email used by conmen to trick Netflix users into parting with their data.

And the loser is…

Victims were presented with a legitimate-seeming prompt to enter their name, address, and bank details – the vital data was then sent for harvesting to a third-party site controlled by the crooks behind this high-value-production con.

The script used by the conmen might not be winning a Golden Globe award any time soon, but it was solid and convincing nonetheless.

“Netflix was unable to collect a payment because the method of payment is no longer valid or has expired,” it read. “To resolve the issue, update your payment method.”

And just as it doesn’t always take fine prose to win over an audience and boost one’s ratings, it would appear the dodgy producers behind this latest scam were enjoying quite a bit of success with their own brand of doggerel until INKY stepped in.

“Be cautious of zip file attachments since these can’t be previewed,” it said. “Use another form of communication to contact the sender and confirm the safety of the attachment.”

INKY also urges those who want to avoid being starstruck by cybercriminals to always visit a company’s website directly via their own browser and search engine rather than clicking on email attachments and links.

More from Cybernews:

The Ethereum Big Merge: panacea for climate change or goldmine for scammers?

$30m Lazarus Group stole from Axie Infinity recovered

Here’s what Uber and GTA hacks have in common

American Airlines revealed sensitive user information

Tech offers glimpse into dog's mind

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked