Netflix Phishing Attack Steals Credit Card Data, Personal Info

FireEye revealed that Netflix users in the United States were recently targeted by a phishing campaign.

The campaign used malicious websites masquerading as a Netflix login page to steal credit card data and other personal information. It worked by sending emails that appeared to be from Netflix to unsuspecting targets. People who clicked on a link in those emails were taken to the dummy sites, which then asked for Netflix credentials, addresses, dates of birth, Social Security Numbers, financial information, and other valuable personal data.

FireEye said the campaign used a variety of techniques to evade detection from most security tools:

The phishing pages were hosted on legitimate, but compromised web serversClient-side HTML code was obfuscated with AES encryption to evade text-based detection.Phishing pages were not displayed to users from certain IP addresses if its DNS resolved to companies such as Google or PhishTank.

Those defensive measures would have made it hard for people to realize they were sharing information with a malicious website. FireEye said the sites are no longer active, but it's not clear how long they were up or how many people were targeted, which makes this campaign's impact hard to predict. Its reach likely extends beyond compromised Netflix accounts; enough data was gathered to create serious problems for people who fell for the bait.

First, there are the digital ramifications. People tend to use the same usernames and passwords across multiple sites, which means stolen Netflix credentials might allow someone to compromise Amazon, Facebook, and other accounts with popular services. This could lead to more phishing attacks, invasions of privacy, and other problems that will ripple out as if this campaign was a pebble tossed into a pond. Netflix is the least of our worries.

Then there are the real-world problems that could stem from this campaign. The attackers didn't just learn how to break into someone's Netflix account--they also gathered information about their victims' addresses, dates of birth, and Social Security Numbers. (Not to mention their financial data.) Someone could use all that data to perpetrate fraud or identity theft, stalk someone, and otherwise wreak havoc on their victims' lives.

FireEye recommended that people view Netflix's security page to learn more about securing their accounts. This is also a good reminder not to trust websites just because they appear to be legitimate and to question why a company would need certain information--since when does Netflix ask people for their Social Security Number?--as well as showing that emailed links should be avoided in favor of manually entering a URL whenever possible.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • erendofe
    legit companies like Netflix, PayPal, etc. will never send you a email with a link to login to their sites. they will simply instruct you to contact them. after all if you have an account with these sites you obviously know how to het there.
  • derekullo
    Hacker: Good Evening. We here at Netflix are sending out emails to all of our customers to confirm that your Social Security Number, Credit Cards and birth certificate have not changed in the past year.

    Please click the link below and confirm the above information.
    For faster processing please also enter your mother's information.
  • RomeoReject
    Thank god the only people that have my credit information are me, my other half, and that kind Nigerian Prince.
  • Jeff Fx
    If someone pretending to be Netflix asks for information that has nothing to do with Netflix, that should be clue enough that you're being phished. They put in some effort to avoid detection, but the information request itself will reveal the scam to anyone who has their brain engaged.
  • Honis
    Not ture. I just checked my last 20 or so emails from Netflix and all of them have links to Netflix in one form or other. I'm using a pc that has never logged into netflix so there isn't a cookie helping things either. Even worse, a few Credit Unions and Banks I've been a part of will also include links (that I never use.)

    The only defense to an email phishing scam is to never click on links in emails. Eventually one will come across the inbox that is 100% convincing if you don't scrutinize the links directly. Some scammer figured out I was with Region Bank somehow and kept sending me emails.
  • Sam Hain
    It's amazing how people become drones in front of their computers concerning their personal data, clicking away, typing away and dispensing it without looking and reading in-depth at what's being asked for, by whom and what the purpose behind it is...

    If there's any doubt by an end-user about giving out unsolicited info to a company/service provider of some sort regardless of the medium used (e-mail, phone, mail, etc), common sense (dead animal) says that person should make contact to that company's/service provider's customer service by phone/e-mail and inquire/report it immediately OR block/delete/mark as phishing scam, etc.
  • John_561
    Netflix needs my social security number!!