Netflix account freeze – don’t click, it’s a scam!
Credit to Author: Paul Ducklin| Date: Fri, 29 Nov 2019 15:06:42 +0000
Another Netflix phishing scam!
We’ve written about these scams before, and we’ll probably write about them again…
…for the sadly simple reason that THEY WORK.
They work because scammers know that the less inventive they are, the more believable their messages become.
It’s also a lot less effort to copy genuine content and adapt it just a little than to try to create your own material from scratch.
That’s what Naked Security Editor-in-Chief, Anna Brading, thought when she received this scam yesterday:
Sadly for the crooks, and fortunately for anyone who received this scam, the tiny bit of text that the criminals decided to write by themselves contains several rather jarring errors.
For the most part, however, this email is disarmingly simple, and therefore surprisingly believable, for all that it’s given away by typos, grammatical mistakes and orthographic errors.
It’s not overly dramatic, it’s not threatening, and it’s polite.
It’s the sort of thing that might easily happen from time to time – a recurring credit card transaction that’s temporarily failed – and that in real life is usually pretty easy to sort out.
Indeed, it’s the sort of glitch you’ve probably dealt with once or twice before, and that you may well have resolved entirely online without even leaving your browser.
Of course, even if you missed the spelling mistakes (a genuine retailer or cloud service is unlikely to mis-spell the word invoce
, which should be invoice
), the link would be a giveaway – this one uses a URL shortening service, but with an HTTP (insecure) URL instead of HTTPS.
Nevertheless, if you clicked without taking a moment to check it, you would end up redirected to a surprisingly believable page that is hosted on a website with a valid HTTPS certificate:
Sure, you’re not on a netflix.com
web page, which is an obvious indicator that this is a scam, but the crooks have disguised the actual server they’re on by using a domain name that starts with a 32-character hexadecimal string.
The long, random starting text in the URL shoves the final part of the domain name off to the right far enough that your browser probably won’t have enough space to show it.
The domain used in this attack was only registered on 2019-11-17, and the web certificate was created yesterday, so the site was probably set up specially for this scam, perhaps along with a bunch of others. Remember that once you have acquired a domain name such as example.com
, you’ve also acquired the right to create as many subdomains beneath it as you like. For example, we own sophos.com,
so we automatically own and can use nakedsecurity.sophos.com
, news.sophos.com
, shop.sophos.com
and so on, as well. As you can see, we try to make our subdomains descriptive so they’re easy to find and remember, but crooks can go the other way, creating unmemorable, unexceptionable subdomain names that are, and look as though they are, machine generated. Many of the genuine web links we use to these days – notably those generated by Google’s search engine – include long and random-looking components, so we’re conditioned to accept them when they show up.
Of course, if you are in a hurry, and don’t take a few moments to look for the obvious clues, you might easily end up entering your password – by which time it’s already too late, because the form submission button uploads it to the crooks, not to Netflix.
If you still don’t spot the deception (we’re hoping you wouldn’t have got this far!), then the phishing continues, taking you via this page…
…to one that asks directly for your card details:
Ironically, these crooks would probably have been better off skipping the intermediate page that starts, “Dear friend,” because it’s awash with telltale signs of bogosity.
Errors you should spot for yourself include spelling mistakes, poor grammar, and a mixup with languages (there’s a link in the middle of an otherwise all-English page that mysteriously offers to sell you a gift card in French).
What to do now?
Here’s what you need to know about this particular scam:
- If you deleted the original email without clicking anything, you did the right thing. The crooks have tried and failed, so you win.
- If you clicked through to the fake login page but bailed out without entering anything, you’re also safe.
In general, it’s best not to click through at all, in case the site tries to sneak malware onto your computer using some sort of browser bug, or exploit. Fortunately, browser exploits are hard to come by these days, and this particular attack won’t do you any harm if you click through by mistake but close the offending web page immediately without clicking or typing anything in it.
- If you went far as trying to login on the bogus site, the crooks know your password. Get yourself to the genuine Netflix login page as soon as you can and change your password.
- If you gave away your credit card details, the crooks know those too. Call your bank as soon as you can to cancel your card. (Look on the back of your actual card for the number to call, for safety’s sake!)
- If you think your card was compromised, keep a close eye on your statements. You should keep your eye on your financial records anyway, but you might as well step up your scrutiny after a security scare of this sort.
What to do next?
Given that today is Black Friday, which is by all accounts the biggest, boldest and baddest retail day of the year in North America, here are three general tips that we urge you to adopt if you haven’t already:
- Never login via web pages that show up in an email. If you always find your own way to login pages, for example via a bookmark or your password manager, then you never have to worry whether a login link is phishy or not, because you won’t be clicking it anyway!
- Use a password manager. Your password manager won’t put your Netflix password – or, indeed, any password – into a bogus site for the simple reason that it won’t recognise the site and won’t have a password to submit in the first place.
- Measure twice, cut once. The scam above has plenty of giveaways, including obviously fake URLs; the use of HTTP instead of HTTPS in the email; and spelling errors. Getting scammed is bad enough without the pain of realising afterwards that all the signs were there for you to spot easily, but you were in too much of a hurry to stop and check.
LEARN MORE ABOUT STAYING SAFE ONLINE
If you like our videos, why not subscribe to our new Naked Security YouTube channel? (Don’t forget to click the bell icon so you receive notifications when we upload new videos.)