Netflix users are being targeted via scam emails containing a fake login screen for the service, that asks for credit card details after obtaining a user's login information. This particular phishing scam uses a number of unusual tactics to set itself apart from your run of the mill email operation, which helps it to avoid detection by some spam and scam stopping systems, as well as fool less aware users more easily. Security research firm Fire Eye, who discovered the scam, has stated that the domains that they saw being used in the scam are no longer active, though that could simply mean that the scam changes domains to make it hard to trace back its origins.
The attack flow all begins with the email, which asks a user to log in to Netflix to update their membership information. The login screen is made to mimic the real deal, and looks the part quite well. The option to login to login via Facebook is even present. From there, it asks users for a bit more information, like their home address. The information requested goes through a few legitimate-looking pages, culminating in presenting the user with a form to fill in their credit card information. Once a user has entered all of the requested information and logged in, they're taken to the real Netflix home page.
This particular scam is somewhat unique in some of the behaviors that it employs. For starters, all of the pages used for the phishing attack were on web servers that had been compromised and taken over to host the hack, but were otherwise perfectly well authorized and looked legitimate. Everything on the client side of the hack was encrypted using AES encryption, which made it harder to detect. Finally, pages in the hack were IP-filtered, and would refuse to show to a number of larger entities with a hand in internet security, such as Google. Such entities will get a 404 error. Once the attack is perpetrated, the attacker receives the details via a PHP-based email system. Though the domains observed by FireEye were inactive, that could simply mean that the domains rotate, so it should be assumed that this hack is still active, and users are advised to take caution, and only log into Netflix through the official home page.