Netflix credential phishing hides behind working CAPTCHA

netflix phish

A recent wave of phishing attacks aiming to steal payment card info and credentials for Netflix streaming service starts with redirecting to a functioning CAPTCHA page to bypass email security controls.

The actor behind these attempts used a “failed payment” theme to engage potential victims into the redirect chain leading to the phishing page.

Phishing flow

The fraudulent emails were sent at the beginning of the month and purported to be a notification from the Netflix support service about issues with verifying the billing address and payment details.

Looking at the sender’s address (, it is clear that the attacker made an effort to make it look legitimate by trying to impersonate Netflix’s customer support.

Researchers at Armorblox, a company fighting targeted email attacks, analyzed the redirection chain. It all starts with a link in the message that takes to the phishing page. 

However, some security solutions fail to detect the page as a threat because it is hidden behind a functional CAPTCHA challenge-response test.

Apart from preventing defense systems from reaching the malicious page, the CAPTCHA also gives a sense of legitimacy to the communication. The URL has been taken down.

The phishing page is a good impersonation of the original Netflix login portal but all the links just reload the same page. Also, the domain loading it, despite being legitimate, is a clear indication of a fake.

After typing in the credentials, another page loads, asking for a billing address and then for payment details (card number, expiration date, CVV, account number).

While these phishing attacks are not complex and humans could spot them if they pay attention to some details, they manage to easily bypass email security solutions.

By using a working CAPTCHA and hosting the pat phishing page on hacked legitimate websites, the actor is able to dodge filters for known bad domains and push the fraud without triggering the alarm.

Victims falling for these tricks may not learn about the fraud until it’s too late as the phishing flow ends with a “success” message. Being cautious when asked to provide sensitive details and checking the domain loading the page should help users spot phishing attempts.

Source link

Recent articles

Augmenting AWS Security Controls | Threatpost

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal...

Google training documents advise avoiding monopoly language

Alphabet and Google employees are trained to avoid using certain words and phrases in internal communications and “assume every document will...

Commemorate Universal’s Halloween Horror Nights at Home With These NEW Face Masks!

If we’re honest, the cancellation of Universal’s Halloween Horror Nights broke our little fright night loving hearts this year! Tribute Store Even though we know...

Bank of America strategist: ‘I’m so bearish, I’m bullish’

Only on Wall Street would an investment research report titled, “I’m so bearish, I’m bullish”...

Genshin Impact PS4 Release Date to Land This Fall

The team at miHoYo is currently working on a gorgeous open-world action-RPG, Genshin Impact. PlayStation 4 players worldwide will be able to venture into...

Leave a reply

Please enter your comment!
Please enter your name here