Researchers have identified a convincing new phishing scam targeting Netflix users, capable of evading email security software.
Identified by researchers at Armorblox, the phishing email masquerades as a billing error alert, pressing the victim to update their payment details within 24 hours or have their Netflix subscription voided.
The link provided in the email redirects to a functioning CAPTCHA form, used in legitimate scenarios to distinguish between humans and AI. Although this step adds a layer of friction to the process, it serves to enhance the sense of legitimacy the attacker is attempting to cultivate.
After handing over account credentials, billing address and payment card information, the victim is then redirected to the genuine Netflix home page, unaware their data has been compromised.
While Netflix phishing has been around ever since the video streaming platform rose to prominence, this latest scam is particularly threatening, thanks to its capacity to both seduce the victim and evade email filters.
According to ArmorBlox researchers, the scam outwits email security controls using two distinct techniques.
The legitimate CAPTCHA form serves to conceal the phishing landing page from security technologies that analyze URL redirection, while the landing page itself is hosted on a bonafide domain (www.axxisgeo.com), managed by a Texas-based oil and gas company.
“By hosting phishing pages on legitimate parent domains, attackers are able to evade security controls based on URL/link protection and get past filters that block known bad domains,” explained ArmorBlox in a blog post.
“Attackers likely exploited vulnerabilities in the web server or the Content Management Systems (CMS) to host these pages on legitimate parent domains without the website admins knowing.”
The information gathered by the scammers could be used in a variety of secondary attacks, including account compromise, identity theft and financial fraud.
To protect against phishing attacks of this kind, users are advised to scrutinize emails for abnormalities that might identify a scam and cross-check landing page URLs with known addresses (e.g. www.netflix.com) before entering account or payment information.