This Creative Phishing Scam Uses Netflix Job Offers to Steal Facebook Credentials
Fraudsters are becoming increasingly creative in choosing targets for their phishing campaigns: a new attack discovered by Malwarebytes Labs appears to specifically target marketing and social media job seekers who may have access to business Facebook accounts belonging to their current employer.
The ultimate goal, in addition to stealing credentials, could be to compromise the targeted business accounts by displaying malicious ads at the company’s expense, demanding ransom, or distributing additional scams that exploit customer trust in the brand.
Netflix Copycats Target Potential Employees
The campaign begins with an email that appears to come from Netflix’s recruiting department. The email begins by flatteringly describing an opening for a senior position, such as VP of Marketing, which the recipient would likely be interested in. A screenshot from Malwarebytes Labs shows the sender’s email address as talents[at]netflixtalentnurture[dot]com, which, while not an official Netflix domain, looks legitimate.
This scam probably isn’t much of a threat unless you respond to the first email. You shouldn’t, but if you did, you’d receive a second email inviting you to an interview with the “Netflix HR team.” Clicking the link to schedule will show you (fake) interview slots to choose from. If you choose one, you’ll be prompted to create or sign in to your Netflix profile.
This is where the risk increases significantly. You can choose to “Continue with Facebook” or “Continue with Email” — both of which will take you to a fake Facebook login screen. If you enter your credentials, the attackers will receive them and be able to instantly log into your real Facebook account. If you have two-factor authentication set up on Facebook, they may even ask for and enter your code , depending on the method you choose .
The Malwarebytes team found that if you enter an incorrect username and password, you’ll get a response that says, “The password you entered is incorrect. Please try again!” This makes the login page a particularly difficult element of this attack, as attackers can intercept and use your data in real time.
Red Flags of Employment Fraud
This Netflix-Facebook job scam is pretty sophisticated in terms of its targeting, use of credible company names, and multi-step approach to phishing your details, but there are some red flags.
Being redirected to Facebook to book an interview is a red flag, although it’s not the most obvious one. Many users are used to using Facebook and Google to log into third-party sites. However, if you check the URL on the login page that you’re redirected to, you’ll see that it’s not the Facebook domain.
Always check the URLs of emails and links carefully before clicking on them with your mouse. In this case, neither site is on the official Facebook or Netflix domain. If you do open a web page, look closely at the address in the browser bar to spot fakes. Scammers use branding to make the scam site look virtually indistinguishable from the real thing.
You may have received legitimate messages from recruiters via email or LinkedIn, but you should still be wary of job postings you haven’t applied for or that sound too good to be true. Don’t click on links without verifying the sender, and don’t enter credentials or provide sensitive information.
There are other common scams involving unsolicited offers of dream jobs that are fully remote and highly paid. Scammers may also pose as recruiters and ask you to pay for their search and placement services. Never pay anyone for recruiting or onboarding services (unless you have hired a professional yourself), and do not agree to deposit checks or buy gift cards, as this almost always ends in losing money.