Malwarebytes researcher Jerome Segura uncovered the scam when he came across what he thought was a typical phish targeting Netflix users, warning that there was an issue with the account.
“Of course it stole my credentials,” Segura said in an analysis. “But it also displayed a message saying my account had been suspended.”
Upon being urged to call “Netflix” at an 800-number, he did so, and talked to a rogue support representative, who asked him to download “NetFlix support software,” which is actually the popular remote login program TeamViewer.
But it gets even more elaborate. “After remotely connecting to my PC, the scammer told me that my Netflix account had been suspended because of illegal activity,” Segura said. “This was supposedly due to hackers who had infiltrated my computer, as he went on to show me the scan results from their own ‘Foreign IP Tracer,’ a fraudulent custom-made Windows batch script. According to him, there was only one thing to do: To let a Microsoft Certified Technician fix my computer.”
From there, Segura was given an invoice and a bogus $50 Netflix coupon, and transferred to said technician, who asked for a picture ID and a photo of a credit card. When he said he couldn’t do that, the hackers activated his webcam so that he could show these cards to them.
Meanwhile, during the conversation, the scammers were going through the personal files on the PC and uploading those that looked interesting, such as “banking 2013.doc.”
“This was a clever plan which not only is about stealing money for bogus services but also about identity theft by gathering personal details from the victim (photo, name, email, address, password, etc.),” Segura said.
As always, users should be diligent about clicking on links within unsolicited tech support emails, and should always be wary about sharing information, downloading unknown software and giving access to third parties.