Researchers are warning of a new Netflix phishing scam that leads victims to sites with valid Transport Layer Security (TLS) certificates.
Johannes Ullrich, dean of research at the SANS Technology Institute, said Wednesday that there’s been an uptick in Netflix phishing mails using TLS-certified sites.
The bad actors behind the attacks will take advantage of unpatched installs or plugins, or weak passwords, to compromise usual-suspect CMS software, like WordPress or Drupal, said Ullrich. From there, they can create phishing sites that could be mistaken for real Netflix domains. In some cases, they’re using wildcard DNS records.
“With a wildcard DNS record, *anything.domain.com will point to the same IP address,” the researcher said in a post. “The attacker will just use a subdomain/hostname to launch the attack. But I have also seen them use specific domain names registered for the phish.”
The attacker can then obtain a TLS certificate for a host name that is Netflix-related, such as netflix.domain.com or netflix.login.domain.com; this helps the site evade being flagged by safe-browser software.
The initial spoofed emails are the weak part of the campaign, and are easy to spot, said Ullrich.
“The email was marked as spam, and the email is not worded that well,” he said. “In this case, the link went to hxxps://www.safenetflax.com, a domain registered just to impersonate Netflix. This domain no longer resolves.”
After clicking on the link, Ullrich found that the websites appear believable and look very much like the real Netflix: “The only modification I can spot is that the alternative login methods like Facebook are missing,” he said.
While Netflix accounts aren’t particularly valuable (Ullrich said he has seen them offered from $0.20-0.50 per account), the attack may be enticing to cyber-criminals as it can be easily automated – and hard for victims to spot, he said.
“Once a Netflix account is compromised, it can often be used for a long time undetected as Netflix allows multiple simultaneous streams for its standard and premium accounts,” said Ullrich. “Unless the legitimate user gets ‘kicked off’ for using too many streams, the legitimate user will never know that there is someone else using their account.”
The method of using TLS for phishing attacks has increased dramatically over the years; last year, Zscaler said that it saw a 400 percent increase of phishing attempts delivered with SSL/TLS over 2016.
“Hackers are posting phishing pages on legitimate domains that they have compromised” said Deepen Desai, director of security research at Zscaler in a post about the increase. “Many of these legitimate sites support SSL/TLS, and there are very few network security solutions that can support inspection of encrypted packets at scale.”
However, Ullrich said ultimately the bad actor could have made a mistake using TLS; because it is easy for Netflix or others to find the sites easily via certificate transparency logs; and, “I doubt many users would notice if the site didn’t use TLS,” he said.
Netflix phishing campaigns have been ongoing for years, but recently a new array of fake email and malicious links seem to have cropped up, with various law enforcement warning citizens to be on the lookout for the scams.
A spate of police forces in Canada for instance have recently advised the public of a phishing scam that involves bad actors impersonating Netflix to obtain victims’ banking information.
Netflix, for its part, recommends users avoid clicking links sent via email; and that they report any suspicious messages through its official website.