A new flow of phishing attacks targeted to steal payment card details and credentials for Netflix streaming service starts with redirecting to a functioning CAPTCHA page to bypass email security controls.
The threat actors responsible for this attack made use of a “failed payment” theme to grip potential victims into the redirect chain leading to the phishing page.
The fraudulent emails were sent at the beginning of the month pretending to be a notification from the Netflix support service about issues with verifying the billing address and payment details.
The sender address was [email protected] which makes is clear that the attacker tried to make it look legitimate by impersonating Netflix’s customer support.
According to the researchers at Armorblox, a company fighting targeted email attacks who analyzed the redirection chain stated that it begins with a link in the message that takes to the phishing page.
Some security solutions fail to detect the page as a threat because it is hidden behind a functional CAPTCHA challenge-response test.
Apart from preventing defense systems from reaching the malicious page, the CAPTCHA also gives a sense of legitimacy to the communication. The URL has now been taken down.
The phishing page is a good impersonation of the original Netflix login portal but all the links just reload the same page. Also, the domain loading it indicates it is fake.
After entering the credentials, another page loads, asking for a billing address and then for payment details (card number, expiration date, CVV, account number).
Even though these phishing attacks are not complex and can be easily identified by the users if they pay some attention to the details, they manage to easily bypass email security solutions.
By using a working CAPTCHA and hosting the pat phishing page on hacked legitimate websites, the actor is able to dodge filters for known bad domains and push the fraud without triggering the alarm.
Victims who fall for these tricks may not know about the fraud until it is too late as the phishing flow ends with a “success” message.
The users must be cautious when asked to provide sensitive details and always make sure to check the domain loading the page to find any phishing attempts.
Image Credits : Abijita Foundation