Phishing Emails Impersonating a Popular OTT Service
AhnLab Security Intelligence Center (ASEC) has recently discovered a phishing campaign distributing emails that impersonate a well-known OTT streaming service. The emails claim there is an issue with the user’s subscription payment and urge recipients to verify the problem. To make the message appear legitimate, the email includes a hyperlink labeled “Update Now” designed to trick users into clicking.
Figure 1. Phishing email body
Once the link is clicked, victims are redirected to a fake login page, as shown in [Figure 2]. Unlike typical phishing attempts where the email account is pre-filled, this campaign requires users to manually enter their email address. This tactic makes it harder for victims to realize their account has been compromised.
Figure 2. Phishing page disguised as the login page
If victims attempt to log in on the fake page, their account credentials and passwords are sent to the C2 server. Afterward, the site displays a message claiming that auto-renewal has failed and prompts the user to click “Resume my subscription.”
Figure 3. Account credentials sent to C2 (The account and password shown here are for testing purposes)
Figure 4. Fake subscription renewal page
Clicking the link eventually redirects users to a fraudulent payment page requesting credit card details, as seen in [Figure 5]. Similar to the fake login page, this payment page transmits sensitive information—including the user’s name, phone number, and credit card details—to the C2 server, as illustrated in [Figure 6]. The data shown in [Figure 5] was entered for testing purposes during analysis.
Figure 5. Fake credit card information input page
Figure 6. Credit card information sent to C2 (The information transmitted is for testing purposes)
Users are advised to be extra cautious when opening emails from unknown sources. Always verify the sender’s legitimacy and avoid clicking suspicious links or opening attachments. Emails requesting personal or financial information should be treated with extra care. Attackers are increasingly leveraging legitimate platforms as C2 servers, making these campaigns harder to detect. As such, heightened vigilance is essential.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
