Recently, there has been a phishing attack that is targeting to steal Login credentials, billing information, and credit card details of Netflix users.
In this event, the threat actors were trying to steal the credentials from Netflix, as it starts with redirecting to a functioning CAPTCHA page to avoid email security controls.
The threat actors who are behind these attempts applied a “failed payment” theme to assault possible victims into the redirect chain heading to the phishing page.
Nowadays, these attacks have become so common due to the mutating virus; the threat actors are randomly targeting different platforms for this kind of phishing attack.
In the case of Netflix, Armorblox detected this phishing attack a few weeks ago, when some of the subscribers of Netflix had received emails in their inboxes, in which the attackers have claimed to be from Netflix Support.
The customers said that they started doubting about it when they faced some difficulties during the billing procedure. Even they were forced to give personal data by saying that if they don’t update their data, then their account would be canceled or suspended within 24 hours.
The Attack Was Successful
Many reasons made this attack successful, and we have mentioned all the attacks and their key detail below:-
- Running CAPTCHA redirect to increase legitimacy: Here, the threat actors were using the CAPTCHA redirect function to carry out these attacks. A CAPTCHA function makes the whole report to look more legitimate, and that makes the subscriber believe the whole concept. The formation of CAPTCHA also executes the whole matter harder for security technologies that rely on URL redirection capabilities to copy the URL to achieve its last stop.
- Fake sites hosted on legitimate domains: All the Netflix lookalike sites used by the attackers are hosted on legitimate domains to evade users. As the support system of the attacks was the URL, and the CAPTCHA page, ‘https[:]//wyominghealthfairs[.]com/cpresources/d3835d8b/1/’, which immediately heads the users to an error page.
- Lookalike website with complete phishing course: After driving the victims into the main page of the cloned Netflix site, the victims were demanded to fill all the login credentials, including the credit card details as well. After putting all the credentials, they get a success message, and soon after, they went on the real Netflix homepage.
- Sophisticated social engineering: The email that are sent by the threat actors shows a title of ‘Notice of Verification Failure,’ whereas Netflix doesn’t send this kind of message in email. But, it is still convincing for the readers to believe that it belongs to the Netflix support.
How Experts Detected The Attack
The security experts detected the attack by analyzing their nature based on some points, and here they are mentioned below:-
- Language, intent, tone
- Low communication history
- Low Domain Frequency
The emails were automatic and got deleted based on predetermined remediation activities for the credential phishing exposure category. But, now, after this event, Netflix has become more cautious regarding this sought of attacks and advised all its users to stay aware and alert.