We’ve seen a 78% increase in email impersonation attacks involving Netflix since October. Attackers are using a mix of obfuscation techniques to evade email security and social engineering to trick recipients into parting with their credentials. Here’s everything you need to know about the scam, including what the emails look like, how they work, and how you can protect yourself.
Quick attack summary
- Vector and type: Email phishing
- Techniques: Brand impersonation
- Payload: Phishing link to harvest credentials
- Targets: Organizations in North America and the UK
- Platform: Microsoft 365
- Bypassed secure email gateway: Yes
The attackers are using an extensive arsenal of invisible and lookalike Unicode characters in an attempt to bypass natural language processing (NLP) scanning. We’ve also noticed that over half (52%) of these emails mention Netflix’s new ad-tier membership package as a hook to get the recipient to interact with the phishing payload.
What the attacks look like
Attacks referencing the new ad-tier package use language that suggests a recipient’s subscription has been downgraded, so they’ll be watching Netflix with ads moving forward. The hope is that recipients will be annoyed and act quickly to rectify the “mistake” with their account. After clicking the link in the phishing email, the recipient is taken to a phishing webpage where they’re asked to enter their login details, which the attackers will harvest and aim to sell on the dark web in large quantities.
The content of the email is designed to make people act quickly and ignore potential signs of phishing. And as you can see from one of the examples we caught, they’ve used Netflix’s logo and brand colors to make the email look legitimate at first glance.
The attackers have also used several obfuscation techniques to evade email security and give their phishing emails the best chance of ending up in a recipient’s inbox. They’ve used very rare Unicode characters that the linguistic engines of many secure email gateways (SEGs) are unable to pick up on.
Netflix impersonation phishing email on mobile
Unicode obfuscation to get through secure email gateways
Unicode is a character encoding standard that encodes characters as bits and numbers. It’s a standard for encoding most of the world’s writing systems, meaning every character is assigned a number. Essentially, there’s a unique number for every possible character.
This helps to convert international languages within browsers – but it can also be used for visual spoofing by exploiting international language characters to make a fake URL look legitimate. For example, you could register a phishing domain as ‘xn–pple-43d.com’, which would be translated by a browser to ‘аpple.com’. This is known as a homograph attack.
In the Netflix impersonation emails we analyzed, we counted 16 different Unicode characters (not including lookalikes) that also used other techniques such as break spacing. Both Microsoft (in browser) and most smart phones decode emails using a method called UTF-8, meaning these unique Unicode characters will be displayed correctly and often go unnoticed by the human eye.
In the below examples, you can see the same phishing emails displayed in different ways. On Outlook online, like with the mobile example shown previously, they render perfectly. But in Outlook Desktop, you can see the lookalike characters and invisible UNICODE characters. This is because Outlook uses a “charset” (ISO-8859-8-I) which isn’t the accepted standard and doesn’t display the Unicode characters in the way the attacker intended.
Netflix impersonation phishing email displayed on Google Chrome
Netflix impersonation phishing email displayed on Outlook desktop
An example from Outlook on desktop, where the UNICODE characters have not displayed as the attacker intended.
When analyzing these Netflix phishing emails, we found a number of different subject lines that were crafted to make people act quickly and respond to a situation right away. The most popular ones claimed there was an issue with a person’s account, either it had been cancelled or they’d been downgraded up to a package with ads. Some went with the approach of offering money-off deals, to entice people into a bargain during the cost of living crisis.
Here are some of the subject lines we saw:
- “Your Premium subscription has expired ID: 25434325”
- “Netflix : We're having some trouble with your current billing information”
- “Get Unlimited Membership for $0.99”
- “Netflix Cancellation Confirmation”
Display name spoofing and sender address impersonation
Attackers were also using several different Unicode characters in the display name. These are some of the common display names we’ve seen:
- “Help Center”
- “Help Desk”
However, if someone was to hover over the spoofed display name, they would see an unusual from address. We’ve uncovered lots of different addresses sending Netflix impersonation emails – here are a few example domains we’ve picked out:
Egress analysis: Social engineering and obfuscation
Attackers capitalizing on current events is nothing new. Many Netflix subscribers will be aware of the introduction of a new ad-tier package, as well as widespread reports of the company changing the rules on account sharing with people outside your home. People therefore won’t be overly surprised to see an email from Netflix about one of these topics in their inbox.
Likewise, we’ve seen plenty of recent examples of attackers exploiting the cost of living crisis. Netflix is a monthly outgoing for 223 million people, so attackers can cast an extremely wide net in the hope they catch recipients out with fake emails regarding issues with their payments or money-saving deals.
In terms of the technicalities of this attack, obfuscation techniques to avoid the basic linguistic checks of SEGs was the key tactic. To avoid detection, attackers spend a lot of time trying to automate obfuscation techniques for their toolkits. Essentially, they want the user to see something different to what the machine sees. In this case, they exploited Unicode, but there are other methods.
Other obfuscation techniques include trying to break up the text with non-identifiable characters, white on white text, and using characters from different languages to break the NLP’s perception as much as possible. For example, using two V characters next to one another will be read as two Vs by a machine. But to a person skim-reading, VV looks a lot like W.
NLP is all about understanding the way people communicate and building models out of it – which is very valuable for email security. SEGs do some linguistic checks, but the Unicode characters used in these phishing emails are very abstract and can be easily overlooked when scanning emails. More advanced email security solutions evaluates both the content and context of an email, providing a broader range of information to distinguish between malicious and benign content.
Steps you can take
For individuals, these attacks once again highlight the importance of good password hygiene. Even if someone were to have their credentials harvested as part of this scam, the damage would be limited if they had been using a password manager with strong, unique passwords for each separate account. The concern for organizations is if an employee has their credentials harvested and uses the same, or very similar, passwords for their work accounts.
Both organizations and individuals also need to be aware how attackers weaponize the 24-hour news cycle to generate new, targeted attacks. Yes, there’s a chance Netflix could be making legitimate contact – but there’s also a chance cybercriminals are exploiting a news event. Regulatory bodies and government agencies routinely highlight these trends, and organizations can proactively include them in their security awareness messaging.
This attack also proves the importance of organizations arming themselves with anti-phishing technology to detect advanced phishing attacks directly within people’s inboxes, so recipients are alerted to attacks that are specifically engineered to evade detection by SEGs. These attacks are sophisticated and you can’t just rely on training and the human eye.
The best email security products can not only detect these obfuscation techniques but feed them back into their machine learning models – they are able to benefit from attackers trying to be clever.