According to a Monday blog post by FireEye, customers who clicked on the link inside the emails were directed to a log-in page that convincingly impersonated the popular streaming media service’s website. The malicious web page – hosted on a legitimate, yet compromised web server – would first ask users to sign in with their credentials. Once that step was complete, it would direct victims to additional webpages requesting further details such as names, birth dates, billing addresses, Social Security numbers and payment card information.
FireEye reported that the phishing websites were no longer active by the time its article was posted.
To avoid detection, the campaign employed AES encryption to encode and obfuscate content presented on the client’s side. “By obfuscating the webpage, attackers try to deceive text-based classifiers and prevent them from inspecting webpage content,” the blog post explains. Also, the phishing pages were not displayed to users located at IPs belonging to certain companies like Google or PhishTank.
[relatedYouTubeVideos relation=”postTitle” max=”1″ class=”horizontal center bg-black”]