Phishers Bait Hooks for Netflix, Amex Users

Cybersecurity experts at Microsoft’s Windows Defender Security

Intelligence Team this week reported their discovery of two new

email-based phishing campaigns. One targets Amex (American

Express) users while the other targets Netflix customers. Both

campaigns reportedly are very well-crafted, featuring legitimate logos

and even fill-in forms that closely mimic those on the respective

company’s own websites.

It isn’t clear if these campaigns are being orchestrated by the same

group, but each was launched last weekend, and each cast a wide net. The Windows Defender Intelligence Team has advised all computer users to be especially vigilant in the coming days and weeks.

Phishing attacks have

increased not only in sophistication, but also in frequency. Upwards of 20 percent of phishing email recipients were convinced that the messages were legitimate and clicked on the redirecting links, according to Microsoft’s security experts, who noted there was a 250 percent increase in such attacks last year.

Getting Very Personal

The recent attacks both warned of account issues, a common tactic

with phishing scams. Amex customers have been receiving a “Notice

Concerning Their CardMember Account,” which claims that they need

to go through a reauthentication process for security reasons. The

message urges users to download and fill out an attached form. Based

on reports, the form itself doesn’t contain a virus but rather asks for

highly personal information such as mother’s maiden name, birth dates,

PIN for the card, and even first elementary school.

The Netflix phishing attack warns users that their “account is on

hold because of a problem with their last payment,” and as with the

spoofed Amex emails, they feature the actual Netflix logo. A link directs users to a “Billing Information” form that requests full

credit card numbers including PIN, as well as Social Security numbers

and other personal details.

What is notable about these respective emails and forms is how

convincing they appear, including correct grammar and spelling —

an indication that the criminals responsible took the time to copy edit the content to eliminate the usual telltale typos. About the only notable

giveaway with the Amex email is that it features capital letters

following commas — something that some users might not immediately

recognize as a grammatical error.

Casting a Wide Net

Phishing scams tend to be rather low-tech in nature, a fact that has

remained true since they first showed up on Usenet newsgroups nearly

25 years ago. Even with constant reminders from companies and

security experts not to trust such emails, many people still fall victim to these attacks.

“The average consumer is not trained to think of emails in terms of

the potential threat they might contain, unless they’ve been similarly

compromised before,” observed Colin Little, senior threat analyst at
Centripetal Networks.

“We see Microsoft is demonstrating that they are continually trying to

develop ways to stop these threats,” he told TechNewsWorld.

Also worth noting is not only the scale of the attacks, but “also the context

of the attack — taking place during an overall increase in the phishing

threat landscape,” said Little.

“We continue to see these types of attacks because they’re effective,”

observed Francis Dinha, CEO of OpenVPN.

“Plus, these attacks target humans over tech. That is, a hacker

doesn’t have to be a tech wizard to carry it out — they just need to be

able to trick the reader into clicking on a link or filling out a

form,” he told TechNewsWorld.

“It takes very little tech expertise to do that, because it’s more of a

personal con than a technical assault,” Dinha explained. “People have

been trying to trick each other out of resources since humanity began;

we just have modern tools to do so more effectively now.”

Beyond Amex and Netflix

At present, it isn’t clear if this attack was sent only to actual “known” customers of Amex and Netflix or if a much wider

net was cast.

“Potentially, we’ll never know for sure, but that would tell us whether

the attackers are using information from some prior breach to focus

the effort,” noted Jim Purtilo, associate professor in the

computer science department at the University of Maryland.

“Sending a fake Netflix notice of account suspension to people who

aren’t Netflix customers is probably not very productive,” he told TechNewsWorld.

“On the other hand, so many people are Netflix customers that an

attacker has statistics on his or her side, and a random mail blast to a

zillion collected names will score hits,” Purtilo added.

The attackers also have economics on their side.

“Sending a malicious mail blast is basically free for them,” said Purtilo. “Phishing is a low-overhead business that profits with the very first

hapless user to respond. If the volume of phishing

attempts has gone up in the last year, then that tells us it is also

mostly free of legal costs. Officials just aren’t keeping up.”

Cutting the Net

The best defense against phishing attacks is awareness, but this is

also one of those rare situations where literally doing nothing is the

best course. Don’t open the email, don’t respond — just ignore it.

“Education has to be the No. 1 strategy for users across the

board,” said OpenVPN’s Dinha.

“Consumers need to educate themselves, and companies need to educate

their workforce and stakeholders,” he suggested.

All too often these attacks work because users haven’t thought to

question what they’re reading, but education on cybersecurity risks

teaches us to stop and question, said Dinha.

“If you’ve never heard of someone experiencing the consequences of a

phishing attack, then you might assume it’s less likely to happen to

you or not that dangerous,” he suggested. “But the more educated you are

on what exactly can happen and how, then the more likely you are to be

on alert for attacks like this. This education has to go beyond the

obligatory warning to consumers — it has to be an in-depth

explanation of and understanding around the cybersecurity risks we’re facing.”

Low-Hanging Fruit

Phishing scams are effective for the criminal groups

because, unlike other attacks, they don’t require very

sophisticated skills. Apart from crafting an official-looking email

and spoofed website, no other technical expertise is required.

In fact, it probably isn’t apt to describe the perpetrators as “cybercriminals” or “hackers,” as they are more like con artists. The phishing

scams work because people are fooled into supplying information,

not because someone broke into a system. This is why these attacks are

unlikely to go away. Even if most people delete the email from a phishing campaign, a few individuals will believe it.

“Unfortunately, we will continue to see these types of phishing

attacks on consumers as long as they continue to fall for them,” said

Jo O’Reilly, cybersecurity advocate at

“These types of attack are a numbers game, even if only a handful of

those targeted respond, then the hackers have still seen their efforts

pay off,” she told TechNewsWorld.

“The best way for consumers to protect themselves from phishing is to

ensure they never enter personal or financial details via a link

contained within an email, even an official-looking one,” O’Reilly


“Instead, they should always open a new browser window in order to

sign into any online account, whether it is Netflix, Amex or any other

service, before inputting their password or any other personal

information,” she advised.

The good news is that security experts are closely monitoring

the situation and bringing greater awareness to phishing efforts.

“This latest story shows us that Microsoft’s cloud protections are

attempting to do more and more to proactively protect the accounts of

their users from receiving these phishing emails,” said Centripetal

Networks’ Little. “However, it is in the nature of cybersecurity that

the more innovative we are at detecting threats, the more innovative

and evasive the bad guys will be — I liken it to the Tom and Jerry


Peter Suciu has been an ECT News Network reporter since 2012. His areas of focus include cybersecurity, mobile phones, displays, streaming media, pay TV and autonomous vehicles. He has written and edited for numerous publications and websites, including Newsweek, Wired and

Email Peter.

No comments:

Post a Comment