Fake Netflix Scams Love Free Subscriptions
Netflix phishing scams have been around for years, but researchers warn the public of a newer scam that sends its victims to malicious Netflix-looking sites with TLS certificates.
Transport Layer Security (TLS) certificate, a successor to SSL, is an Internet protocol that enables privacy, integrity and protection of data transmitted between different server nodes. To put simply, it assures secure web browsing and data transfer.
However, recent Netflix phony sites bypassed that added layer of web security by simply buying a TLS certificate for each host name that is Netflix-sounding. Examples are netflix.domain.com or netflix.login.domain.com. This simple method apparently is enough to escape Internet security services or safe browser software’s reach.
After entering the fake Netflix site, a researcher observes that it is very much like Netflix itself, only minor omissions were noted. “The only modification I can spot is that the alternative login methods like Facebook are missing,” the researcher stated.
Selling paid Netflix accounts in the black market are expectedly cheap, but its certain charm belongs to how an attacker can exploit the compromised account for a long time being undetected – as Netflix allows multiple and simultaneous streaming.
Hackers also try and inject a phishing page into legitimate sites, a method commonly referred to as injected phishing. These unfortunate infected legitimate sites support SSL or TLS protocol most of the time, and because of this there are added difficulties from the security part. Most noteworthy difficulty it entails comes when a malicious site tries to hide behind encrypted TLS defenses, which is currently popular with Netflix phishing sites as of the moment.
Netflix already released a statement, urging users to avoid clicking links that were sent via email. They also asked for user’s cooperation, suggesting that they report suspicious emails to their official website.
Scams such as these aren’t entirely new per se; in fact one can dismiss the threat by simply following essential data security etiquette, on which every computer user should, once in a while, review.