Attackers are using Netflix phishing emails to gain access to TLS-certified sites without much effort
Security researchers warned the public about a new wave of Netflix phishing emails that hit the world wide web several days ago. Suspicious emails lead users to a look-alike website that dramatically resembles the original Netflix site, as well as assures its legitimacy by providing a valid Transport Layer Security (TLS) certificate. As a result, cybercrooks get a chance to steal the sensitive data from their victims and use it for monetary or another gain.
Hackers can easily obtain TLS certificate using vulnerabilities in the unpatched CMS software (such as Drupal), as well as weak passwords. After breaking in, culprits can create phishing websites with a valid certificate and even use wildcard DNS records. These sites can be easily mistaken by regular users, as visually they look exactly like original ones.
Bad actors use wildcard DNS record to make the fake domain point towards the same IP as the original websites use, by merely using subdomain/hostname. This means that hackers can obtain TLS certificate for a domain that is Netflix-related but is bogus, such as netflix.login.com or netflix.domain.com.
The original name embedded into the URL and the valid TLS license make the scam more believable. As a result, users agree to sign in using their credentials.
It is not the first time cybercriminals are abusing Netflix' name. And it is not surprising, as nearly 60% of US citizens choose it for viewing shows and movies. This means that the most of the phishing emails reach subscribers who can seriously get worried about the fact that their Netflix account may be suspended.
Phishing email – not the strongest part of the scam
Crooks have been relying on social engineering since the early 2000s. This method is considered the most effective when it comes to distributing malware, or making users enter their credentials into fake websites. Messages range from utterly fake-feeling to cleverly presented ones which often use logos, texts and other attributes of well know companies.
While the fake Netflix website is a success, the phishing email constructed by hackers does not seem very convincing. First of all, the email is marked as spam (email providers have an inbuilt scanner), and the message itself is not worded very well. It states the following:
We recently failed to validate your information, we hold on record for your account
we need to ask you to complete a brief validation process in order to verify details.
Once that information has been updated, you can continue enjoying Netflix.
please click the button below to get started.
As soon as users click on the “Update account details,” they are led to a fake website which greatly resembles Netflix and is prompting to enter account details. The only difference is that the bogus site lacks the button which allows users to connect to the account using Facebook.
What do hackers do with obtained accounts?
Although Netflix accounts are not that valuable on the black market, the process of obtaining them is highly automated and can result in mass account detail harvesting. What is more, the attack is tough to spot as Netflix does not substantially limit the number of devices users can stream from. Therefore, unless the account is “kicked-off” for using too many streams, the owner will never find out that his or her account has been compromised.
Therefore, security experts urge users to protect themselves from cybercriminals and do not let them abuse their accounts, be it Netflix or any other personal account. It is essential to learn to recognize scam emails and never trust anything that is thrown at you.
Finally, users are often not that concerned about stolen accounts, but the compromised account can lead to severe consequences, such as identity theft (that means that technically somebody can commit crimes under your name, and you may be liable) or stealing money directly from the bank account. Do not risk – only log in to websites via official websites and avoid links from emails as they can be fake.