News Story

Credit Card News Story

Credit Card

Netflix users the victims of credit card phishing scheme

Published: 12/01/2017 by Comments

Netflix users the victims of credit card phishing scheme

Netflix customers may find themselves in receipt of an unexpectedly high credit card bill if they are not careful – as a new phishing scheme threatens to get hold of their credit card details as well as other personal details.

FireEye, an online security firm tells us that the approach from scammers begins when a Netflix subscriber receives a notification requesting that they make an update to their membership.  This notification incorporates a link to a false login page.  Once users sign in another page appears requesting members to confirm a number of personal

pieces of information – to include name, date of birth and address.  This stage is followed by a request for Social Security number details and payment card information.  After this stage has been completed members will be directed on to the actual Netflix homepage.  In phishing terms these are typical tactics, but it appears there is more to it than what appears on the surface i.e. the ways in which the campaign remains undetectable.  There was a time when all of the phishing pages were available on legal web servers (even though somewhat compromised).  These pages do not tend to show, users from some IP addresses, whether they DNS resolved to companies like PhishTank or Google.
There is one more clever way that the phishing campaign steers clear of detection.

This is explained by Mohammed Mohsin Dalla of FireEye in a recent blog post:
“One technique is the use of AES encryption to encode the content presented at the client’s side…. The purpose of using this technique is code obfuscation, which helps to evade text-based detection. By obfuscating the webpage, attackers try to deceive text-based classifiers and prevent them from inspecting webpage content. This technique employs two files, a PHP and a JavaScript file that have functions to encrypt and decrypt input strings. The PHP file is used to encrypt the webpages at the server side…. At the client side, the encrypted content is decoded using a defined function in the JavaScript file….”

Every bit of information stolen from a user is sent to the attackers via the PHP mail utility, which means the bad actors’ can host the phishing pages on multiple websites and receive stolen credentials from a single email account.

All pieces of stolen information from one user are directed to attackers by the PHP mail utility.  This results in the bad actors being able to host the phishing pages over numerous website locations and stolen information from a unitary email account.

Netflix, which initiated a reset process for passwords in June 2016, after a period of major breaches, asks users to learn ways to keep themselves safe online by going to  This page will act as a reminder for users that Netflix do not ask for personal information via email.  Users are also reminded that it is unwise to click on links or email attachments that appear suspicious.

As of the creation of this article the phishing pages in question are no longer accessible. 

Colette Lamb
News article by:
Colette Lamb

A business sector writer with over 15 years of experience working in the marketing, commerce and law sectors' internationally and in the UK. Interests include composing music and other creative communications such as art and dance therapy.

Similar news stories...