New wave of phishing emails targets Netflix users

Crooks are using advanced phishing email writing techniques to steal people's credit card details

A new phishing campaign targeting Netflix users has been spotted by security researchers recently. The sophisticated email with the subject “Your Netflix Membership is on hold” warns users that they need to re-validate their payment information and that their account is on hold. To be able to use it properly again, users are directed to a copy of the official Netflix website asking them to enter their credentials and credit card details.

Phishing emails are not a new phenomenon, and major brands or high-profile companies have been abused for a while now. Over time users learned to adapt and recognize these hoaxes, as they were filled with spelling and grammar mistakes and other features that just makes them look fake. Nevertheless, these cybercrooks are using much more advanced email writing techniques and scare tactics^[1] to make this scam more believable.

It is not surprising that Netflix, one of the biggest video-streaming providers, is one of the targeted companies and it is not the first time the company has been focused on by cybercriminals (the “Account Disabled” phishing attack^[1] was launched last year). Bad actors are also abusing the fact that users love the service Netflix provides and the thought of not being able to watch their favorite shows crushes them.

The way the scam works

The phishing email uses a smart formatting and clever social engineering^[2] skills. Crooks mimic legitimacy by using same colors, same branding and the “Netflix Support Team” signature at the end of the message. The following are the contents of the scam email:

Your suspension notification

Hi #name#,

We were unable to validate your billing information for the next billing cycle of your subscription therefore we'll suspend your membership if we do not receive a response from you within 48 hours.

Obviously we'd love to have you back, simply click restart your membership to update your details and continue to enjoy all the best TV shows & movies without interruption.

RESTART MEMBERSHIP

We're here to help if you need. Visit the Help Center for more info or contact us.

-The Netflix Team

The sender of the email is an obvious sign that something is fishy. However, the fact that the victim can lose access to their account might be enough to ignore all these danger flags and click on the “Restart membership” button.

The user is then brought to a Netflix official page look-alike with the security certificate stating “Safe.” Users often trust that tiny green lock sign, and it increases the credibility of the scam. Hackers use Let's Encrypt Certificate Authority for the Https^[3] security certificate.

Users are then prompted to enter their name, phone number, address, date of birth and credit card information. The bogus website then informs victims that “their account information has been updated” and they are free to use Netflix without interruptions. On the same page, users can click on the link which brings them to official Netflix website. In the meantime, they are unaware that their personal details just have been stolen by cybercriminals.

Stay safe online – avoid scams and other cyber threats

It is evident that thieves will not stop creating legitimately-looking scam emails and websites, and they will not only affect Netflix. With the implementation of General Data Protection Regulation on 25th of May, many companies are updating their Privacy Policies and are informing users about these changes. Bad actors are quick to react and send out countless emails about the alleged GDPR change, asking users to enter their personal details.^[4]

In the rise of security breaches,^[5] ransomware attacks, and phishing scams, users are urged to make sure their virtual security is ensured. Make sure you never ignore built-in security software warnings about suspicious emails. Also, download and install robust anti-malware software. Finally, do not trust everything that is thrown at you – if needed, email the company that is trying to get your credentials and make sure it is legitimate.