Security researchers have uncovered a new Netflix phishing scam that leads victims to sites with valid Transport Layer Security (TLS) certificates.
According to researchers at the SANS Technology Institute, the attack begins with hackers compromising a website by leveraging unpatched installs or plugins, or weak passwords to compromise CMS software such as WordPress or Drupal. They then create phishing sites that are designed to look like the official Netflix domain. In some cases, the attackers use wildcard DNS records as well.
“With a wildcard DNS record, *anything*.domain.com will point to the same IP address,” researchers said in a blog post. “The attacker will just use a subdomain/hostname to launch the attack."
Researchers also observed hackers using some specific domain names registered for the phish.
The attackers can then obtain a TLS certificate for a hostname that is related to Netflix such as netflix.login.domain.com or netflix.domain.com. This allows the site evade detection by any safe-browser software.
However, the phishing emails used to lure the user are the weaker aspect of the attack since they aren’t worded properly and are, therefore,are easy to spot. In one example, an email was already flagged as spam.
In this case, the link went to hxxps://www.safenetflax.com - a domain registered just to impersonate Netflix. After clicking on the link, the website looked very similar to the real Netflix.
Johannes Ullrich, dean of research at the SANS Technology Institute, said that although Netflix accounts aren’t particularly valuable to hackers, the attack itself may be tempting since they can be easily automated and are hard for victims to spot.
"Once a Netflix account is compromised, it can often be used for a long time undetected as Netflix allows multiple simultaneous streams for its standard and premium accounts,” Ullrich noted. “Unless the legitimate user gets ‘kicked off’ for using too many streams, the legitimate user will never know that there is someone else using their account."
Netflix-themed phishing scam campaigns have been steadily growing for a while now with various malicious fake emails and links related to the online streaming site making the rounds online. However, Netflix has warned customers not to click on links sent via emails and immediately report the same via its official website.