Warning Against Phishing Emails Impersonating Netflix

AhnLab SEcurity intelligence Center (ASEC) has recently discovered that phishing emails impersonating Netflix, a well-known Over-the-top (OTT) platform, are being distributed.

OTT platforms are well-integrated into our daily lives, and with the number of users worldwide increasing recently, extra caution is required against phishing emails using such topics. 

The phishing email in distribution is shown below. The threat actor disguised the email with details regarding the payment failure for a Netflix subscription, requesting the reader to edit their payment method by clicking the hyperlink and logging in.

 

Figure 1. Phishing email disguised as being sent from Netflix

 

The email is so meticulously created that at first glance, it is hard to tell that it is a phishing email. In particular, the email address used by the threat actor (“netflix-team[.]com”) does not raise any suspicion about the sender. 

It seems that this address is a domain made by the threat actor for phishing and is not the official address used by Netflix.

* Official Netflix email address: netflix[.]com

 

Figure 2. The hyperlink set to redirect the user to a different site

 

The threat actor inserted the official Netflix website’s URL to hyperlinks such as “Help Center” and “Contact” while inserting the phishing site’s URL only to the “Update account now” button highlighted in red. 

Additional analysis was not possible because the phishing site connected to the hyperlink was disabled at the time of analysis. Upon analyzing the domain of the phishing URL, however, it was discovered that the domain was not in service. Furthermore, as CSS files of well-known platforms such as Facebook and Google were found in sub-URLs, it is presumed that the threat actor created additional phishing sites using various content.

 

Figure 3. The domain of the URL inserted in the hyperlink

 

To avoid suspicions, the threat actor also included a legitimate URL (official Netflix URL) in the phishing email and chose the OTT platform content to send a phishing email, a subject that the public is familiar with.

The case introduced in this post is only one of many, and phishing emails will continue to become more advanced and sophisticated. In essence, it is crucial to be mindful of security awareness.

It is important to first check the URL that is connected to the hyperlink in the email. Also, you should go to the official website before clicking the hyperlink to see if there is any relevant information mentioned in the email.

URL

https[:]//piscatoria[.]co[.]nz/r/CLT6c1Q