Netflix phishing attack targets users with ‘legitimate’ links

An effective phishing campaign that targets Netflix users has been uncovered by Armorblox researchers. In a blog post, Chetan Anand (co-founder and architect at Armorblox), describes the Netflix phishing attacks as multi-pronged. The attack begins with emails that claim to be from Netflix support.

These emails threaten users to respond in 24 hours or their account will be deleted. The reason given is related to a failure to receive payment for services rendered. Ordinarily, these sorts of emails are stopped by anti-phishing filters. However, Armorblox found that the links in the email appear legitimate. This confuses anti-phishing filters like Office 365 Exchange Protection.

The links in question are a redirect to a legitimate domain (including wyominghealthfairs[.]com) that contains a functioning CAPTCHA. Once the CAPTCHA is completed, users are redirected again to a very convincing Netflix page copy that is also hosted on a legitimate domain (axxisgeo[.]com). All of this makes the Netflix phishing attack dangerously effective.

Now, it goes without saying that any aware user would notice the URL bar not saying it belongs to Netflix. Unfortunately, many individuals are not as knowledgeable as they should be, especially if they were already fooled by the initial email and CAPTCHA link.

On the spoofed Netflix page, according to Armorblox’s post, the following occurs if users have been hooked by the phishing scheme:

Once targets fill in their login details, the phishing flow continues with screens asking targets to update their billing information and credit card information respectively. These next few screens look a lot like something you’d see on legitimate streaming websites; this superficial legitimacy enables attackers to harvest their targets’ billing addresses and credit card information in addition to their Netflix account details… Once the targets have filled in all their information, the phishing flow ends with a message of “success” and an automatic redirection to the real Netflix homepage.

The only lesson that can be learned from this Netflix phishing campaign is always to be aware of fraudulent emails. Do not assume your spam filter will take care of every phishing email. Double-check every address to every domain you are linked to, and of course, do not be quick to volunteer your personal data to any website.

Featured image: TechGenix photo-illustration

1 thought on “Netflix phishing attack targets users with ‘legitimate’ links”

  1. Don’t click on links in emails! Always enter the web site’s URL yourself in the browser adress box and then login only if the padlock near the adress box is looks OK (locked and not crossed).
    Keep a record of all your online services, bills and invoices. Than you will know when any payments are due.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top