Scams targeting users of popular services such as Netflix are hardly rare, but they are usually easily spotted by email security controls.
That’s why a new Netflix threat detailed by cloud security provider Armorblox is particularly concerning.
Not only does the phishing email claiming to be from Netflix Support bypass email filters, the attack is also convincing enough to persuade some savvy users to part with their credit card details.
Crucial to the scam’s credibility is a link taking the user to a functioning CAPTCHA page with Netflix branding, Armorblox described in a blog. Once a victim has correctly filled in the CAPTCHA information, they are led to a Netflix lookalike site which aims to steal login credentials, billing address information and credit card details.
The new Netflix attack was first spotted a few weeks ago, when Armorblox said emails from Netflix Support started to hit inboxes. The scam—which arrives in an email titled “Notice of Verification Failure”—details an issue with billing, asking users to verify their personal information within 24 hours to prevent their account being cancelled.
Even once attackers have stolen your details, you won’t be aware of anything. “Once the phishing flow was complete, targets were redirected to the real Netflix home page, none the wiser about being compromised,” Armorblox said.
How the Netflix scam bypassed controls
The Netflix email was able to evade security controls because it was different to most attacks utilizing phishing . The functioning CAPTCHA page “makes the entire communication seem more legitimate,” says Armorblox.
Meanwhile, the pages used to orchestrate the attack were also hosted on legitimate domains. The main Netflix lookalike site is hosted on the ‘axxisgeo[.]com’ domain, which belongs to an oil and gas company based in Texas. This domain is also unrelated to Netflix and the attack.
But several things give the Netflix scam away. Firstly, although the phishing site looks legit, if you click on any of the links such as “need help” or “Sign up now”, the page just reloads again. Another obvious giveaway is of course the URL. Instead of Netflix.com, you’ll see axxisgeo.com.
The Netflix email was able to evade security controls because it was different to most attacks utilising phishing . The functioning CAPTCHA page “makes the entire communication seem more legitimate,” says Armorblox.
Meanwhile, the pages used to orchestrate the attack were also hosted on legitimate domains. The main Netflix lookalike site is hosted on the ‘axxisgeo[.]com’ domain, which belongs to an oil and gas company based in Texas. This domain is also unrelated to Netflix and the attack.
The Netflix scam is a clever attack, and it shows how cyber-criminals are evolving to evade security controls, with convincing tactics to trick users. So it’s important to remain alert: Always be suspicious of any email or text asking you to update personal or credit card details.
Check for spelling errors, hover over links, check URLs and if you are still confused, go to the site and log on separately of the email. That way you can be sure attackers aren’t trying to steal your details.
Forbes CyberSecurity
Learn more about GuardedID, which will encrypt every keystroke you enter, preventing your vital information from being stolen by Attackers. Whether the site is Fraudulent or legitimate, GuardedID will NOT let your Financial or Personal information get into the wrong hands.