Massive Phishing Campaign in Brazil Targeting Netflix Users

• Netflix users in Brazil are receiving phishing email messages that inform them about account problems.
• The recipient is urged to click on the embedded buttons that point to phishing domains.
• Once the victims land there, the actors ask for Netflix account credentials and credit card information details.

With billions of people “staying home,” it is only natural for streaming platforms like Netflix to be on fire right now. Crooks know that very well, and they are ramping up their efforts to scam people who are holding on to their precious in-house entertainment. Bitdefender has been following the activity of phishing actors in Brazil, and their report shows that there’s a burst of spam mail distributed to tens of thousands of people in the country. In total, from March 18 until March 23, 2020, actors have sent 183,807 phishing messages to random individuals.

Source: Bitdefender

Considering that there are approximately 128.5 million Brazilians who have access to the internet and that 11 million of them are active Netflix subscribers, the number of phishing messages is high enough to ensure that a significant portion will reach valid targets. Their content claims that users need to update their credit card information because Netflix detected “some inconsistencies” with their accounts. The layout uses the official logo and color theme so that it looks like it really came from the streaming giant. Even the “About” section on the footer of the email has been copied directly from Netflix.

Source: Bitdefender

The targeted subscriber is even threatened with a blocking action, so inside the email, there is a link to "help them resolve the issue." The links point to: ‘hxxps://index1-atualizar-cadastro.joomla.com/index1’, and ‘hxxps://br-sec-series.joomla.com/acesso/br,’ which are obviously not part of the official Netflix portal. Another email that also looks legitimate goes a bit further, claiming that the subscriber’s Netflix account has already been suspended. The recipient is urged to take action (click on link) to re-activate their account, while the landing domain is ‘hxxps://br-sec-series.joomla.com/acesso/br.’ On the above phishing pages, the visitors are requested to enter their Netflix account credentials and then to “update” their credit card information. In the first case, the sender is ‘jasmin.becken@,’ while in the second message, the sender is ‘samsammy@.’

Source: Bitdefender

That said, the signs of fraud are evident, and any success that this campaign may have is based on the lack of composure from the recipient’s side. While the scam presented above is nothing but new and has been happening all over the world in the last years, one golden rule remains the same: whenever you receive messages from any platform, you should visit the official website of that platform directly and then check if your account has any alerts that need your attention. Never click links contained in an email or SMS, and never believe anything that is claimed in the messages no matter how genuine they may look. Finally, you should pick up and install a network security solution that could help you identify phishing attempts and even stop you when trying to visit fraudulent domains.