A new phishing campaign that spoofs Netflix and collects credit card details is targeting both consumers and corporate email users—hoping to capitalize on the thirst for streaming video. The results could be dangerous for businesses and individuals alike.
Uncovered by PhishMe, the gambit begins with a mail purporting to be from the streaming giant, asking for an account update. Once the victim enters their Netflix credentials on a spoofed website, they are redirected to a second screen, which harvests the victim’s credit card credentials. The final step shows a thank-you message, where clicking the “Get Started” button takes visitor to Netflix.com, meaning that they could remain blissfully unaware that they’ve been phished for quite some time.
PhishMe’s analysis found that the email address associated with the campaign has been involved in the use of five different phishing toolkits since June, targeting customers of Chase Bank, Comcast, Netflix, TD Bank and Wells Fargo. But business users can be at risk as well.
“Everyone has accounts for these consumer services,” said PhishMe analyst Chase Sims, in a blog. “Attackers are not always discriminant in who receives their phishing messages. This might be successful because people use corporate email for consumer stuff all the time. If the threat actor can find examples of password reuse, phishing a consumer service like Netflix might lead to illicit access to an enterprise email account and associated services.”
Typically, people at work try to handle a minor personal inconvenience as quickly as possible, he added, so the Netflix phish works to trick those busy people into giving up login information. Sims said that beyond the credit-card collection, submitting the log-in information alone can be an issue thanks to lagging corporate security practices.
“[The attacker] could simply bandit your account to finally watch the first season of Iron Fist. Or they could try to capitalize on the credentials they’ve stolen,” he explained. “After all, the victim is already rushed; they may not have the time to keep track of dozens of passwords. So now the attacker hopes that you reuse the same password for your personal email account or, if the attacker is very lucky, for your work email account. In either case, they can now reset passwords for various other online services—banking, healthcare, social media—to pivot and carry their attack forward.”
One reason this tactic could succeed: Many companies might not enforce two-factor authentication for their single-sign-on services, which means reused credentials might be a skeleton key for multiple things. Andrew Clarke, EMEA director at One Identity, said via email that the gambit could easily be defeated if companies would only implement 2FA.
"By choosing a popular app such as Netflix, this phishing campaign is aiming to collect as much personal information about the recipient as possible,” he said. “Password re-use is a mistake many people make—and by giving up one account detail, the user has fallen into the trap. Businesses are learning that they can defeat the password re-use challenges by implementing two-factor authentication. In this case, a challenge-response mechanism reassures that the person accessing an account is the person who it is intended to be."