FireEye revealed that Netflix users in the United States were recently targeted by a phishing campaign.
The campaign used malicious websites masquerading as a Netflix login page to steal credit card data and other personal information. It worked by sending emails that appeared to be from Netflix to unsuspecting targets. People who clicked on a link in those emails were taken to the dummy sites, which then asked for Netflix credentials, addresses, dates of birth, Social Security Numbers, financial information, and other valuable personal data.
FireEye said the campaign used a variety of techniques to evade detection from most security tools:
- The phishing pages were hosted on legitimate, but compromised web servers
- Client-side HTML code was obfuscated with AES encryption to evade text-based detection.
- Phishing pages were not displayed to users from certain IP addresses if its DNS resolved to companies such as Google or PhishTank.
Those defensive measures would have made it hard for people to realize they were sharing information with a malicious website. FireEye said the sites are no longer active, but it's not clear how long they were up or how many people were targeted, which makes this campaign's impact hard to predict. Its reach likely extends beyond compromised Netflix accounts; enough data was gathered to create serious problems for people who fell for the bait.
First, there are the digital ramifications. People tend to use the same usernames and passwords across multiple sites, which means stolen Netflix credentials might allow someone to compromise Amazon, Facebook, and other accounts with popular services. This could lead to more phishing attacks, invasions of privacy, and other problems that will ripple out as if this campaign was a pebble tossed into a pond. Netflix is the least of our worries.
Then there are the real-world problems that could stem from this campaign. The attackers didn't just learn how to break into someone's Netflix account--they also gathered information about their victims' addresses, dates of birth, and Social Security Numbers. (Not to mention their financial data.) Someone could use all that data to perpetrate fraud or identity theft, stalk someone, and otherwise wreak havoc on their victims' lives.
FireEye recommended that people view Netflix's security page to learn more about securing their accounts. This is also a good reminder not to trust websites just because they appear to be legitimate and to question why a company would need certain information--since when does Netflix ask people for their Social Security Number?--as well as showing that emailed links should be avoided in favor of manually entering a URL whenever possible.