Netflix phishing attack targets users with ‘legitimate’ links

An effective phishing campaign that targets Netflix users has been uncovered by Armorblox researchers. In a blog post, Chetan Anand (co-founder and architect at Armorblox), describes the Netflix phishing attacks as multi-pronged. The attack begins with emails that claim to be from Netflix support.

These emails threaten users to respond in 24 hours or their account will be deleted. The reason given is related to a failure to receive payment for services rendered. Ordinarily, these sorts of emails are stopped by anti-phishing filters. However, Armorblox found that the links in the email appear legitimate. This confuses anti-phishing filters like Office 365 Exchange Protection.

The links in question are a redirect to a legitimate domain (including wyominghealthfairs[.]com) that contains a functioning CAPTCHA. Once the CAPTCHA is completed, users are redirected again to a very convincing Netflix page copy that is also hosted on a legitimate domain (axxisgeo[.]com). All of this makes the Netflix phishing attack dangerously effective.

Now, it goes without saying that any aware user would notice the URL bar not saying it belongs to Netflix. Unfortunately, many individuals are not as knowledgeable as they should be, especially if they were already fooled by the initial email and CAPTCHA link.

On the spoofed Netflix page, according to Armorblox’s post, the following occurs if users have been hooked by the phishing scheme:

Once targets fill in their login details, the phishing flow continues with screens asking targets to update their billing information and credit card information respectively. These next few screens look a lot like something you’d see on legitimate streaming websites; this superficial legitimacy enables attackers to harvest their targets’ billing addresses and credit card information in addition to their Netflix account details... Once the targets have filled in all their information, the phishing flow ends with a message of “success” and an automatic redirection to the real Netflix homepage.

The only lesson that can be learned from this Netflix phishing campaign is always to be aware of fraudulent emails. Do not assume your spam filter will take care of every phishing email. Double-check every address to every domain you are linked to, and of course, do not be quick to volunteer your personal data to any website.

Featured image: TechGenix photo-illustration

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Microsoft 365 administration: Changes to auto-forwarding rules

Microsoft has changed the way to prevent auto-forwarding of email in Microsoft 365. Never fear…

57 mins ago

Understanding Azure Key Vault protections against deletion

IT admins are all good guys (and gals), we assume. But Capt. Destruction is not.…

6 hours ago

Kubecon 2020 roundup: Key highlights and announcements

The Kubernetes ecosystem is growing rapidly and the cloud-native community is constantly working on tools…

23 hours ago

Enabling Front Door managed certificates in Azure: Status update

If you are working on your infrastructure-as-code (IaC) and having a hard time configuring the…

1 day ago

Salesforce buys Slack to send message to Microsoft

Salesforce will buy Slack in a mega deal that gives the customer relationship software pioneer…

1 day ago

Contactless payments are hot, but are they secure?

The trend to contactless payments has accelerated as retailers and consumers adjust to COVID-19 realities.…

2 days ago