A new Netflix phishing attack leverages fake emails from the streaming service to trick users into handing over their credit card credentials. The attack starts when a user receives an email from what appears to be Netflix warning them that they need to update their membership information. You can see that the sender email address, support@onlineorders[.]desk-mail[.]com, has nothing to do with Netflix. So it’s not surprising that clicking on the “Update” link leads somewhere other than the streaming service. In fact, it directs the user to hxxp://see-all[.]norafix[.]com/, a location which immediately redirects them to the subdomain hxxp://account[.]norafix[.]com/ch/customer_center/customer-IDPP00C274/js/?country.x=&locale.x=en_.
That page prompts the user to enter in their Netflix credentials followed by their payment card details.
Once it’s succeeded in stealing that information, the scam confirms that the user’s account is now updated. It then provides them with a link to Netflix’s actual homepage.
So what happens then?
Well, the attacker could abuse the user’s stolen credentials to gain access to Netflix content for free. They could also leverage the credit card information to make fraudulent purchases. But they could also reuse the stolen login details in an attempt to gain access to some of the user’s other accounts.