Leveraging Netflix for Credential Harvesting.


INKY discovered a threat actor targeting Netflix customers as part of a credential harvesting campaign.

INK blog this morning about a phishing scheme impersonating Netflix. Researchers report that between August 21 and 27 of this year, Netflix customers were the target of a Personally Identifiable Information (PII) data collection campaign. The campaign used a malicious HTML attachment compressed in a zip file.

Social engineers show more linguistic knowledge.

The campaign is notable for showing criminal social engineering being carried out with greater refinement, without some of the clunky diction and non-standard language that once made it easy to spot. As INKY says, “There was a time when brand fraud attempts were easier to detect because they contained many telltale signs of phishing. Multiple typos, strange word choices, suspicious URLs, and strange logos. provided information to the recipients of these malicious emails. But times have changed. Cybercrime is getting more sophisticated every year, with no signs of stopping. Today, there are many telltale signs of identity theft from brand are so cleverly hidden that even the most discerning eye can’t recognize them. That’s certainly the case with the latest Fresh Phish to swim in INKY’s nets.”

Brand spoofing and a familiar attack sequence.

The phishing emails targeted Netflix customers and were spoofed to look like they came from the real Netflix domain. The emails originated from a virtual private server in Germany, then were forwarded to an abused mail server at a Peruvian university, which resulted in the email being given a DKIM pass and be forwarded to the recipient.

The scam itself had a familiar style. Email recipients were informed that they needed to update their billing information for Netflix by downloading a form attached to the email. The attached “form” is a zip file containing an HTML attachment requesting PII on the recipient’s device. Once the recipient has filled in their information, a button at the bottom says “Agree and continue.” And of course, when they accept and continue, their personal information is sent to the threat actor.

Some messaging best practices.

INKY reminds users of best practices regarding unidentified emails. They advise to be careful with zip file attachments, as it is not possible to preview them, to visit a company’s website directly to solve an account problem, and to use the address bar of the browser to hover over the links and determine that you are on a website instead of a local file. They also note that SMTP servers should be configured to not accept and forward emails from non-local IP addresses to non-local mailboxes.


About Author

Comments are closed.