Security resarchers discovered a phishing campaign primarily based in the US which is targeting the credit card data and other personal information of Netflix users.
The campaign mimics real Netflix web pages in order to trick unsuspecting users into handing over their personal information and multiple “evasion techniques” have been used by the attackers to avoid detection by phishing filters.
For example, the phishing pages are hosted on legitimate but compromised web servers and were not displayed to users from certain IP addresses where the DNS resolved to companies such as Google or PhishTank.
Writing on the FireEye blog, advanced malware researcher Mohammed Mohsin Dalla explains how the attack starts with an email notification asking users to update their account membership and includes a link directing recipients to a fake Netflix login page.
“Upon submitting their credentials, victims are then directed to webpages requesting additional membership details and payment information,” he says. “These websites also attempt to mimic authentic Netflix webpages and appear legitimate. Once the user has entered their information, they are taken to the legitimate Netflix homepage.”
The campaign also uses AES encryption (Advanced Encryption Standard) to encode the content presented at the client’s side, leveraging code obfuscation to help evade text-based detection by preventing inspection of the webpage content.
Netflix finally completed an eight-year cloud migration project to AWS at the beginning of last year, shutting down its last data centre, but was also slammed by Greenpeace earlier this week for falling short on renewable energy commitments.