Phishing pages have become deceptively convincing and sophisticated currently compared to the meagre maliciously hosted web pages in the past. FireEye labs previously discovered phishing campaign targeting the financial data and other personal information of Netflix users primarily based in the United States.
Recently a phishing scam has deceived Netflix users into visiting TLS-certified sites. Threat actors are taking advantage of unpatched installs, plugins or weak passwords to compromise content management systems software such as WordPress or Drupal. Thereafter, they create phishing sites which can be mistaken for real Netflix domains. The attacker can obtain a TLS certificate for a hostname that is Netflix related such as login(dot)netflix-activate(dot)com this helps the website avoid being identified by protective browser software. A lot of these sites use HTTPS in an effort to look more convincing, they simply obtain a free cert from Let’s Encrypt.
When ugly phishing pages used to exist, the advice of check for the secure encryption HTTPS would be helpful when confirming whether a site is trustworthy or not.
Checking the padlock to see more information on where the certificate was issued could help, but for most users, that information would not help them decide in any case.
Subsequently, after an unsuspecting user is led to this TLS-certified site, they are told to enter their login credentials and ‘update’ their payment details so they may continue to use their Netflix account. Finally, after a successful phishing attack, the perpetrators will alert the user that their account has now been updated and will be coaxed to click on a button and led to the real Netflix website. These users will remain unaware of any wrongdoing until threat actors start to make fraudulent transaction using their card details.