The email hits your inbox with an urgent warning: Your Netflix account has been suspended, due to a problem with your billing information. It offers a link, which takes you to what looks very much like a Netflix landing page. It’s not. Instead, it’s a phishing scam that collects extensive personal data on victims. But as with all of the most pernicious phishes, the problem with the Netflix phish isn’t just its convincing look—it’s that whoever’s behind it has found new ways to bypass spam filters over and over again.
While the Netflix phish has garnered recent headlines, it dates back at least to January, when threat researchers at the security firm FireEye first detected it. It prompts victims to type in their username and password, and then presents a form to update their billing information (things like full name, date of birth, address, and phone number). After that, another form asks them to validate their payment method by entering their credit card info. Some versions of the phish even ask for a Social Security number.
As with many social engineering attacks, its outward simplicity helps ensnare potential victims. Underneath that exterior, though, researchers who have tracked the campaign say that it uses a clever combination of defense measures to make it harder for spam filters, antivirus programs, and phishing scanners to flag.
Richard Hummel, the manager of technical analysis at FireEye, says that he still sees attackers using some of the same subject lines for Netflix phishing emails that they did almost a year ago. “They’re not even varying their tactics all that much,” he says. “What they’re doing is working, it’s successful. Netflix is still one of the common themes that’s used for credential theft. It’s definitely something that’s still ongoing—steady and recurring.”
While the Netflix phish is outwardly straightforward, it does include a lot of clever touches. It replicates a lot the HTML Netflix uses on its actual website, to make the fake pages look as genuine as possible. The login pages even include autofilling backsplashes that promote Netflix original content. The phishing emails also use a template system, to personalize the messages by autofilling each victim’s name at the beginning.
The evasive maneuvers go even deeper. Some versions of the campaign encrypt user-side HTML in the phishing pages, so scanners can’t inspect the code for malicious components. The phishing pages also have a defense in place where they won’t load for IP addresses that trace back to known internet security monitoring groups, like Google, or the anti-phishing initiative PhishTank. All of this makes it easier for phishers to run the Netflix scam again and again, because their infrastructure hasn’t been flagged on security and spam blacklists.
Most importantly, the Netflix phishers use a well-known technique of compromising legitimate web accounts or web servers, and hosting their phishing pages off of those services. By hosting the pages on sites that have been around for a while and weren’t previously malicious, the attackers buy time on URLs that have credibility (known online as a good reputation score) and won’t be flagged by security scanners. Analysts at the email scanning and security group MailGuard found that in this go-around the Netflix phishers have been using compromised WordPress blogs to host their malicious pages.
This type of approach can be used to launch phishing attacks based off of all different brands and services. Aaron Higbee, CTO of the phishing defense firm PhishMe, says the company has tracked the same types of phishing campaign infrastructure to impersonate brands like Chase, Comcast, TD Bank, and Wells Fargo. And he notes that the system can perpetuate itself. Some of the stolen credentials attackers get out of the scam may include reused credentials for accounts and web servers that the phishers can then compromise and use to launch more attacks.
The good news is that users can protect themselves by following the standard advice about phishing. To confirm who really sent an email, click on the downward arrow next to the sender’s name in Gmail. It’ll expand to show the full info. Hover over any links to confirm that they lead to the URLs they claim. Make account changes by navigating, on your own, to a site itself, and log in there instead of going through an email link. Don’t reuse passwords. And view any emails that push you to act right away with suspicion.
“Unfortunately, these scams are common on the internet and target popular brands such as Netflix and other companies with large customer bases to lure users into giving out personal information,” Netflix said in a statement to WIRED.
There’s a lot at stake. Researchers say that the Netflix phishers also likely sell the victim data they collect to dark-web processors looking for bulk data, credit card numbers, and even just active Netflix accounts that they can resell for a few dollars.
“There are a number of motives here,” Higbee says. “And I know I’m going to sound like a broken record, but if your email address password is the same as your entertainment passwords you’re really setting yourself up for disaster. Your email address password needs to be different even if you don’t vary all your passwords. That alone will prevent a lot of damage.”
You might as well commit those tips to memory—especially with an attack like the Netflix phish that’s been around for months, and isn’t slowing down.