A Netflix phishing scam has been identified and users in the United States are being cautioned about an email that targets credit card information and other personal data. A California-based cyber-security firm recently identified a phishing email campaign affecting the popular video streaming service’s customer base. This latest attack is just another example of how important it is to scrutinize any email from anyone, including large trusted companies, that asks you to click a link contained in the email for the purpose of entering or updating personal information or credit card payment information.

How the Netflix Phishing Scam Works

Disguised as an email sent by Netflix for the user to update their membership details by clicking a link contained in the email body. Unsuspecting Netflix subscribers who click the link are redirected to a fake site that mimics the appearance of the real Netflix login webpage. Users who are none the wiser enter their login credentials and are directed to pages that request customer personal information. This includes the user’s name, date of birth and address, and credit card payment information, including credit card type, card number, expiration date, name on the credit card, credit card holder’s social security number, and the security code for the credit card.

From this kind of data, a hacker could make fraudulent credit card purchases online, open lines of credit in a victim’s name, sell the victim’s data and credit card information, and much more. With how much talk there is about phishing scams being one of the leading causes of data security breaches, it might seem like no one should be taken advantage of by a phish email scam. But a surprising number of phishing emails are opened by recipients, and a startling number of links contained in phishing emails are clicked on.

Highly Sophisticated Phishing Ploy

This most-recent Netflix phishing scam is striking in that it was well orchestrated against detection as fraudulent email. The hackers used highly sophisticated techniques and methods to mask their email campaign from being detected. Specifically, the attackers took steps:

• So that legitimate, but compromised, Netflix servers hosted the phishing webpages.
• So that users with certain IP addresses would not be displayed the phishing pages in order to avoid detection of the phishing ploy, i.e., if it was likely that the user’s DNS would resolve to companies such as PhishTank or Google.
• To ensure that the client-side HTML code associated with the phishing pages was obfuscated by the use of AES encryption.

Contact a Cybersecurity Lawyer

Data security breaches happen all the time and sometimes companies and people fall victim to phishing attacks. Cybersecurity attacks are getting all the more sophisticated with each passing day and the laws surrounding cybersecurity issues are continuously evolving to address new challenges. Revision Legal stays up to date on cyber security law and new cyber threats. Revision Legal works closely with cybersecurity victims and helps them deal with the aftermath of security breaches and we can help you manage your situation after suffering a data breach. Contact the experienced data breach attorneys at Revision Legal as soon as possible if you need help. Contact Revision Legal data breach attorneys using the form on this page or call us at 855-473-8474.

The Legal Framework Governing Phishing Attacks

Phishing attacks like the Netflix campaign described above implicate multiple federal statutes. Perpetrators of phishing schemes face criminal liability under 18 U.S.C. § 1030 (the Computer Fraud and Abuse Act) for unauthorized access to protected computers, under 18 U.S.C. § 1343 (wire fraud) for using electronic communications to execute a scheme to defraud, and under 18 U.S.C. § 1028 (identity fraud) for the fraudulent use of personal identification information obtained through the phishing scheme. Maximum penalties for wire fraud are 20 years imprisonment per count, and computer fraud violations can carry sentences of up to 10 years for first offenses.

For businesses whose legitimate infrastructure is compromised and used to host phishing pages — as Netflix’s servers were in this attack — there is a separate set of concerns. The company whose servers are hijacked to host phishing pages may itself face reputational harm, regulatory scrutiny, and civil liability from customers who were defrauded through the compromised infrastructure. Even though Netflix was a victim rather than a participant, the unauthorized use of its servers to conduct fraud creates notification obligations if any Netflix server-side data was accessed during the compromise.

The CAN-SPAM Act and Phishing Email

The CAN-SPAM Act of 2003 (15 U.S.C. § 7701 et seq.) regulates commercial email and makes it unlawful to send email with materially false or misleading header information or deceptive subject lines. Phishing emails inherently violate the CAN-SPAM Act’s prohibition on false headers, as they are designed to impersonate the sender (here, Netflix) and to deceive recipients about the email’s true origin. CAN-SPAM provides for criminal penalties of up to five years imprisonment for aggravated violations, which include phishing-style deception. The FTC and Department of Justice both have authority to pursue enforcement under CAN-SPAM.

What Victims of Phishing Attacks Should Do

If you have clicked a phishing link and entered personal information or payment credentials, time is of the essence. The following steps can limit the damage:

• Change your passwords immediately — starting with the account that was phished (here, Netflix) and any other accounts that use the same password. Use a password manager to generate and store unique passwords for each account.
• Contact your financial institution immediately if you entered credit card or banking information. Request a new card number and ask your bank to monitor for fraudulent transactions.
• Place a fraud alert or credit freeze with the three major credit bureaus — Equifax, Experian, and TransUnion — if you provided your Social Security number. A credit freeze is free under federal law (15 U.S.C. § 1681c-1) and prevents new accounts from being opened in your name.
• File a report with the FTC at identitytheft.gov. An FTC Identity Theft Report creates an official record of the theft and helps when disputing fraudulent accounts with creditors.
• Report the phishing email to the Anti-Phishing Working Group at reportphishing@apwg.org and to the legitimate company being impersonated (here, Netflix at phishing@netflix.com) so they can take action to disrupt the campaign.

Business Obligations When a Phishing Attack Compromises Customer Data

When a phishing attack results in the compromise of a business’s customer data — either because employees fell for a phishing email that gave attackers network access, or because attackers impersonated the business to steal customer credentials — the business has legal obligations under state breach notification statutes. A business that learns that customers have been defrauded through a phishing campaign that exploited the business’s brand must evaluate whether a reportable security breach of the business’s own systems occurred, and whether it has independent notification obligations to customers who were victimized.

Businesses should also consider whether they have claims against the attackers under the CFAA or for common law fraud if the attackers exploited the business’s servers or misappropriated its brand to perpetrate the phishing scheme. While recovering from foreign cybercriminal actors is practically difficult, civil judgments can support insurance claims and may be enforceable if the attackers have U.S. assets or presence. Contact the cybersecurity attorneys at Revision Legal using the form on this page or call us at 855-473-8474.

Image credit: Global Panorama