Fraudsters Abusing Legitimate Services to Phish Netflix Users’ Credentials

fishhook on keyboard

A new phishing email abused a legitimate web service in an attempt to phish users’ Netflix account credentials.

The Zix | AppRiver security team spotted the email in mid-July. With “Important: Cancellation of your Netflix subscription” as its subject line, the email stated that Netflix had failed to successfully process the recipient’s last membership payment. At that point, those responsible for creating the spam email made the following threat: “If you do not update your information within 72 hours we will limit what you can do with your account.” The email then directed the recipient to click on an embedded button called “My Account” so that they could continue to enjoy their Netflix membership.

On the Surface of the Netflix Scam

The email detected by Zix | AppRiver gave itself away as a fake in several ways. First, it used spoofing techniques to appear that it had originated from Netflix’s “Customer Care” department. A closer look at the sender revealed that the email had actually originated from an IP address associated with a web hosting company based in Canada.

At the time of analysis, a Google search revealed that the IP address was hosting the website of a best-selling author of romantic fiction. Second, the email contained a flawed footer. The text of the footer is replicated below:

Need help Contact support or visit our Help Center. Please do not reply to this email.  View or make changes to your Netflix Red membership at any time.  You'll need a supported device and an Internet connection to stream videos or to save videos to watch offline. (Italics added for red-colored font.)

The issues began right at the beginning of the footer text when the attackers made a grammatical error by not placing a “?” after the next “Need help.” That wasn’t the only mistake. In the above quotation, the red-colored font seemed to indicate the presence of hyperlinks in the email. But they were just unlinked text. Those portions didn’t lead to pages on Netflix’s website or anywhere else, for that matter. Presumably, the attackers included the red text in an attempt to make the email appear legitimate.

Additionally, the footer text mentioned the recipient’s ability to interact with their “Netflix Red membership.” There’s just one problem; there’s no such thing as a “Netflix Red membership.” “Netflix Red” is one of the colors used in the streaming service’s branding. However, Netflix doesn’t include “red” in reference to its membership plans. They’re just called “memberships.”

So, Where Does the “My Account” Button Lead?

Hovering over the “My Account” button embedded in the email revealed that it redirected the user to a domain hosted on Blogspot. This behavior is evident in the screenshot below. (Full hyperlink redacted.)

Screenshot of Netflix phishing email detected by Zix | AppRiver
Screenshot of Netflix phishing email detected by Zix | AppRiver

The redirect to a Blogspot site coincides with an important finding made by security researchers at Zix | AppRiver: fraudsters continue to abuse legitimate services to launch phishing attacks. In fact, Blogspot ranked fifth in a list of most-abused services detected by Zix | AppRiver. This list is reproduced in full below.

  1. PAGELINK
  2. GOOGLEAPIS
  3. AMAZONAWS
  4. SENDGRID
  5. BLOGSPOT
  6. MYSHAREPOINT
  7. WETRANSFER
  8. FORMSGLE
  9. LISTMANAGE
  10. WINDOWSNET
  11. ONEDRIVE
  12. AZUREWEBSITES
  13. SURVEYMONKEY
  14. FIREBASEAPP
  15. GOOGLESITES
  16. REBRANDLY

The Blogspot page hosted a fake Netflix login page designed to harvest a user’s credentials.

Defending Against a Netflix Phishing Scam

The scam detailed above highlights the need for organizations to defend themselves against Netflix phishing scams and other email attacks. They can do so by investing in an email security solution that scans incoming messages for indications of threat behavior. That analysis should take place in real time so that legitimate correspondence continues to reach its destination.

Learn how Zix | AppRiver email threat protection can keep your organization safe.