Heads Up: This Netflix Phish Targets Business Email, Not Just Home Accounts

PhishMe® analyzes phishing attacks intended for corporate email all the time—phishing for corporate email credentials, malware delivery, etc. However, we also analyze phishing for consumer service credentials—think online shopping or Netflix—since it is also a part of the threat landscape.

Everyone has accounts for these consumer services. Attackers are not always discriminant in who receives their phishing messages. We see consumer services phished in the corporate environment also.

This might be successful because people use corporate email for consumer stuff all the time. If the threat actor can find examples of password reuse, phishing a consumer service like Netflix might lead to illicit access to an enterprise email account and associated services.

A most-recent example shows a message that again spoofs Netflix but also collects credit card details.

Message:

Link:

hxxp://see-all.norafix.com/

This immediately redirects to the landing page URL on the same domain

hxxp://account.norafix.com/ch/customer_center/customer-IDPP00C274/js/?country.x=&locale.x=en_

Once the victim enters their Netflix credentials, they are redirected to the second step seen below, which collects the victim’s credit card credentials:

The final step shows a thank you message, where clicking the “Get Started” button takes you to Netflix.com:

The attacker wants your login credentials, which enables him to…

PhishMe has tracked Netflix phishers before. This most recent one seems to be trying his hand at collecting several types of personal credentials.  The email address associationpresident3 at gmail dot com has been recorded in five different phishing toolkits since June, targeting customers of Chase Bank, Comcast, Netflix, TD Bank and Wells Fargo.

Another Netflix phisher builds phishing pages in Italian and uses the exfiltration address annelies.mazenier at hushmail dot com.

Typically, people at work try to handle a minor personal inconvenience as quickly as possible. So, the Netflix phish works to trick those busy people into giving up login information. Now, what does the attacker do with that?

He could simply bandit your account to finally watch the first season of Iron Fist or they could try to capitalize on the credentials they’ve stolen. After all, the victim is already rushed; they may not have the time to keep track of dozens of passwords.

So now the attacker hopes that you reuse the same password for your personal email account or, if the attacker is very lucky, for your work email account. In either case, they can now reset passwords for various other online services—banking, healthcare, social media—to pivot and carry their attack forward.

One reason this tactic could succeed: a lot of companies might not enforce two-factor authentication for their single-sign-on services, which means reused credentials might be a skeleton key for multiple corporate services.

With Netflix widely popular across the globe and password re-use rampant across multiple online services, the public must turn a very skeptical eye toward all email communication.

Don’t miss another threat – stay on top of emerging phishing and malware threats and attacks, all delivered straight to your inbox at zero cost. Subscribe to PhishMe® Threat Alerts today.

Rock the 80’s and More at PhishMe Submerge 2017!
The Phishing Kill Chain – Triage and Mitigation

Leave a Reply