Hackers target business emails with Netflix scam
Hackers target business emails with Netflix scam

A new phishing scan has been targeting the business and personal emails of Netflix users in order to gains credit card details.

According to security researchers at PhishMe, the phishing campaign deceives victims into revealing their credit card data, which can then be used by the criminals to steal money. The stolen information can then be used by scammers to access other accounts.

In a blog post, Chase Sims, senior threat analyst and Phishing Defense team lead at PhsihMe, said if the threat actor can find examples of password reuse, phishing a consumer service like Netflix might lead to illicit access to an enterprise email account and associated services.

Sims said that his company has tracked Netflix phishers before. “This most recent one seems to be trying his hand at collecting several types of personal credentials,” he said.

The email address associated with the scammer has been recorded in five different phishing toolkits since June, targeting customers of Chase Bank, Comcast, Netflix, TD Bank and Wells Fargo.

"The Netflix phish works to trick those busy people into giving up login information," he said. "The attacker hopes that you reuse the same password for your personal email account or, if the attacker is very lucky, for your work email account. In either case, they can now reset passwords for various other online services — banking, healthcare, social media — to pivot and carry their attack forward."

Sims said that one reason this tactic could succeed is that a lot of companies might not enforce two-factor authentication for their single-sign-on services, which means reused credentials might be a skeleton key for multiple corporate services.

“With Netflix widely popular across the globe and password re-use rampant across multiple online services, the public must turn a very skeptical eye toward all email communication,” he added.

Rohyt Belani, CEO, Phishme, told SC Media UK that is imperative for enterprises of all sizes to instil a culture of collaboration where every employee is adequately conditioned to recognise and report attacks in order to quickly respond and neutralise the threat.

“A successful phishing defence strategy should rely on making sure every employee is enabled to naturally recognise the various indicators of phishing attacks, which are responsible for over 90 percent of data breaches, and report them before they have a chance to cause any serious damage,” he said.

Andrew Clarke, EMEA director at One Identity, said that by choosing a popular app such as Netflix, this phishing campaign is aiming to collect as much personal information about the recipient as possible – by requesting login credentials for the Netflix account – the aim would be to reuse the credentials to see if it was possible to unlock access to any other accounts the user may have.  

“Password re-use is a mistake many people make – and by giving up one account detail, the user has fallen into the trap. Best practice is to have a separate password for each type of account access and use a secure password vault to store those passwords to retrieve when required,” he said.

“Businesses are learning that they can defeat the password re-use challenges by implementing 2-factor authentication.  In this case a challenge-response mechanism reassures that the person accessing an account is the person who it is intended to be."

Adam Brown, manager – security solutions, at Synopsys, told SC Media UK that as usual, protection is to always check the sender and to check the address the link is sending you to.

“Better still - don't click the link and type the address you would usually go to. For example, the link to Netflix must always end in netflix.com and have nothing in the host part after. Beware of spoof addresses that look like they are real. For example, www.netflíx.com (note the ‘i' is actually a Latin letter ‘í') or even www.netfljx.com (j not i). Or, more commonly, something like www.netflix.com.abc.ru (abc.ru being the hackers' domain). Double check especially if the site is asking for sensitive information.”