Anti-Malware Research

Netflix Phishing Campaign Spikes in Brazil with Account Update/Suspended Tricks

Netflix Phishing Campaign Spikes in Brazil with Account Update/Suspended Tricks

With many of us stuck at home because of the pandemic, it’s only natural that streaming services will experience a surge in members and traffic. Netflix is clearly among them, and to make sure that there’s enough to go around for everyone while not adding stress on internet bandwidth already crowded by everyone dialing in for remote work, Netflix announced on March 19th a reduction in streaming quality, from high definition to standard.

A new spear phishing campaign, potentially exploiting the announcement made by Netflix, consisting of over 183,000 emails seems to have hit Brazilian Netflix users between March 18th and March 23rd, with Bitdefender’s spam flux peaking on March 22nd at 91,463 reported emails. The campaign seems to have abruptly ended on March 24th, as there have been practically no reports since. While these email samples showed up in our spam flux several days earlier, the number of reports was low and, at the time, there was no indication they would lead to a full-blown campaign.

Netflix has a large presence in Brazil, with around $1.2 billion in revenue from almost 11 million subscribers. This means the chances of reaching a legitimate user’s inbox are quite good and attackers could profit handsomely if they trick victims into “updating credit card details,” as their messages instruct.

Update Your Account Information

One of the spear phishing emails claims users need to update their credit card information due to “some inconsistencies” in their accounts. The email tries its best to look legitimate, abusing the Netflix logo and overall formatting.

The message above reads:

Obviously when hovering over the two URLS you’re told to click to update your account information, you’ll notice the links don’t really point to any Netflix domain.

hxxps://index1-atualizar-cadastro.joomla.com/index1
hxxps://br-sec-series.joomla.com/acesso/br

Visiting those links would have been ill advised, as you would have probably ended up giving away your Netflix credentials and maybe your credit card information.

Interestingly, the “About” section of the email (footer) contains actual Netflix information, including the URLs for the company’s Terms of Service, newsletter unsubscribe link, and even Terms of Use. The scammers likely took it from a legitimate Netflix newsletter and simply crafted or altered the first part of the message.

Account Suspended

A second email seemingly from Netflix and targeting Brazilian users claims that your account has been suspended and you need to “update your details so you can watch again and avoid cancellation.”

This, too, uses the Netflix logo and even a couple of images with the “Avengers: Age of Ultron” movie and “La Casa de Papel” series. The simplicity of the message and the use of the movie banners, much like legitimate Netflix newsletters employ, could make the scam more believable to the untrained eye.

Following the button to access your alleged account (hxxps://br-sec-series.joomla.com/acesso/br), takes you anywhere but the legitimate Netflix webpage.

Unlike the previous email, where the footer section had valid URLs pointing to Netflix, this scam leaves nothing to chance. Although the message is pretty much the same, all URLs have been changed to point to the attacker-controlled webpage mentioned above.

Recommendations

It’s highly recommended that, before you click on any link you receive within the body of an email, you first check out the sender’s email address. In both examples above, the email address is a dead giveaway (“jasmin.becken@”, and “samsammy@”). And if the first part of the email address doesn’t raise any suspicion, be sure to check the domain name as well.

Also, legitimate emails from trusted services such as banking or various service operators will not ask you to click on a link to access your account. They’ll usually ask you to check out your account by manually visiting their website and logging in.

It’s also recommended that you use a security solution that can accurately identify phishing emails and fraudulent URLs, so that you can steer clear from scams, malware and fraud.

Note: This article is based on technical information provided courtesy of the Bitdefender Labs teams.

About the author

Avatar

Liviu ARSENE

Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past couple of years. He is the youngest and most restless member of the Bitdefender writer team and he covers mobile malware and security topics with fervor and a twist. His passions revolve around gadgets and technology, and he's always ready to write about what's hot and trendy out there in geek universe.

Add Comment

Click here to post a comment