The email hits your inbox with an urgent warning: Your Netflix account has been suspended, due to a problem with your billing information. It offers a link, which takes you to what looks very much like a Netflix landing page. It's not. Instead, it's a phishing scam that collects extensive personal data on victims. But as with all of the most pernicious phishes, the problem with the Netflix phish isn't just its convincing look—it's that whoever's behind it has found new ways to bypass spam filters over and over again.

While the Netflix phish has garnered recent headlines, it dates back at least to January, when threat researchers at the security firm FireEye first detected it. It prompts victims to type in their username and password, and then presents a form to update their billing information (things like full name, date of birth, address, and phone number). After that, another form asks them to validate their payment method by entering their credit card info. Some versions of the phish even ask for a Social Security number.

Deep Deception

As with many social engineering attacks, its outward simplicity helps ensnare potential victims. Underneath that exterior, though, researchers who have tracked the campaign say that it uses a clever combination of defense measures to make it harder for spam filters, antivirus programs, and phishing scanners to flag.

Richard Hummel, the manager of technical analysis at FireEye, says that he still sees attackers using some of the same subject lines for Netflix phishing emails that they did almost a year ago. "They’re not even varying their tactics all that much," he says. "What they’re doing is working, it’s successful. Netflix is still one of the common themes that's used for credential theft. It's definitely something that’s still ongoing—steady and recurring."

While the Netflix phish is outwardly straightforward, it does include a lot of clever touches. It replicates a lot the HTML Netflix uses on its actual website, to make the fake pages look as genuine as possible. The login pages even include autofilling backsplashes that promote Netflix original content. The phishing emails also use a template system, to personalize the messages by autofilling each victim's name at the beginning.

PhishMe

The evasive maneuvers go even deeper. Some versions of the campaign encrypt user-side HTML in the phishing pages, so scanners can't inspect the code for malicious components. The phishing pages also have a defense in place where they won't load for IP addresses that trace back to known internet security monitoring groups, like Google, or the anti-phishing initiative PhishTank. All of this makes it easier for phishers to run the Netflix scam again and again, because their infrastructure hasn't been flagged on security and spam blacklists.