Two massive phishing campaigns target Netflix and AMEX users

• These campaigns aim to steal users’ personal information, payment card details, login credentials, and social security information.
• These emails include a web fillable form attachment and requests users to download the attachment and fill out the form.

What is the issue - Office 365 Threat Research team observed two new active phishing campaigns targeting Netflix and American Express (AMEX) users.

“Two massive, still-active phishing campaigns targeting Netflix and AMEX emerged over the weekend, the Office 365 Threat Research team has discovered. Machine learning and detonation-based protections in Office 365 ATP protect customers both campaigns,” Windows Defender Security Intelligence tweeted.

Why it matters - These campaigns aim to steal users’ personal information, payment card details, login credentials, and social security information.

Netflix phishing campaign

• The phishing emails sent to Netflix users have subject lines such as ‘Your account is on hold because of a problem with your last payment’.
• These emails go on to say that Netflix was unable to collect the payment and urges users to update their payment method in order to resolve the issue.
• Once users download the attached form to update their payment method, the form asks users to enter their personal information such as first and last names, email addresses, social security numbers, dates of birth, and addresses.
• The form also asks for users’ payment card details such as credit card numbers, expiration dates, bank names, PIN numbers, and security codes.

“Netflix was unable to collect a payment because of one of the following reasons:

• The method of payment on file is no longer valid or has expired.
• The financial institution did not approve the monthly charge.

To resolve the issue, update your payment method. Download form attached to this email and follow the instructions. Once your payment information has been updated, you can continue enjoying Netflix. If you’re having trouble updating your payment information, you may want to reach out to your card issuer to ensure the card information is up to date or try an alternate method of payment. Netflix will also automatically retry the failed payment periodically over the course of your billing cycle to help you get back to enjoying the service,” the email read.

AMEX phishing campaign

• The phishing emails sent to AMEX users have subject lines such as ‘Notice Concerning your CardMember Account’.
• These emails include a web fillable form attachment and requests users to download the attachment and fill out the form.
• The legitimate-looking fillable form asks for users’ personal information such as user id and passwords, mother's maiden name, mother’s date of birth, and place of birth, security pin numbers, email addresses and passwords.
• Users are also requested to enter their payment card details such as credit card numbers, expiration dates, PIN numbers, and security codes.

“We are reaching you on a recent update on your online service platform and we feel the need to evaluate Cardmember’s profile. At the moment of evaluation, your profile couldn't be authenticated during diligence checks. However, For security reason, We declined access to card member’s profile and request that you confirm what we have on records for you. Attached along this message is a web fillable form. Complete request by downloading and filling out the form,” the email read.

“The AMEX campaign uses a generic “Notice Concerning your CardMember Account” message and asks for multiple personal and credit card info, but interestingly also asks for email address and password,” Windows Defender Security Intelligence tweeted.