Beware of the 'Update Your Membership with us' Netflix Scam

On Tuesday, researchers from the Australian email security company MailGuard noticed that quite a few users were receiving some interesting messages from what looked like Netflix. The name of the world's most popular streaming service did indeed appear in the 'Sender' field of the said messages, but in reality, the emails weren't coming from Netflix. They were phishing lures that triggered a multi-stage operation designed to steal quite a lot of personal information.

The lure

The subject of the message suggests that your Netflix account has been put "on hold" and that "an update" will fix the issue. The body looks legitimate, at least at first glance. Netflix's logo is present, and the color scheme and fonts are pretty similar to what subscribers are used to seeing from the streaming service. Some people will not pay too much attention to the look of the message because they'll be in a hurry to fix the issues the email is talking about.

The message says that your account has been put on hold because the "last plan payment" didn't go through successfully. You are told that if you don't want to lose access to the service, you need to update your billing information. As you might imagine, there's an "Update now" button that takes you to what is a really good copy of Netflix's login page.

The trap

Needless to say, you first enter your Netflix login credentials in order to sign in to your account. Then, you are presented with a form that requests valid credit card details. All that data is sent to the people organizing the phishing campaign, and it must be said that most cybercriminals would be pretty happy with it. Not these crooks, though.

Once the credit card data has been entered, the malicious website takes you to a "Verified by Visa" page, which asks you for "Security Social Number", your mother's maiden name, and your card's 3D Secure Code. You then need to "Confirm your identity" by uploading a photo of some form of an ID document as well as a selfie of you holding the said document. After you've done that, you are asked to confirm your payment method by uploading a photo of both the front and the back of your bank card.

Finally, you are greeted by a page, which tries to convince you that you have regained access to your Netflix account and, after a while, redirects you to the real streaming service.

Staying safe

As you can see, the masterminds behind this phishing campaign are after more than just your username and password. The phishing attack is well-planned, and the social engineering techniques could make quite a few people fall for it. Nevertheless, there are a few tell-tale signs that should tip you off.

Although the emails look good from a visual perspective, there are a few spelling and grammatical mistakes, and the spacing is a bit awkward in places. We shouldn't overlook the fact that Netflix is unlikely to ask you for photos and selfies of your ID documents and credit cards, either. The easiest way of figuring out whether or not the page you're looking at is real is just to look where you're going.

The phishers can make a malicious page look like the real thing. What they can't do, however, is host it on the legitimate URL. In this case, the phishing pages (which have thankfully been removed now) were put on the website of the Islamic Society at the University of Hull, England. Although the forms were served over HTTPS, the hackers made no further attempts to hide the URL, which meant that a simple glance at the address bar of the browser would have been enough to tell users that they're not looking at a legitimate login form. Those who noticed this probably managed to dodge the bullet. Those who didn't will hopefully be more careful next time.