You may have seen a couple of your friends sharing a link to an on-going promo of Netflix wherein users can enjoy free two months of premium subscription to keep everyone busy at home and comply with the government’s mandate for enhanced community quarantine due to the COVID-19 pandemic. It is quite tempting to some who are really getting bored already. However, the promo is fake.
Netflix did not release any similar promo recently. They do have free trials but according to their website, it is currently not offered in the Philippines.
Cyber Security Philippines – CERT, the first computer emergency response team in the country, already released an advisory to update the passwords of those who have already clicked the link.
What does it do?
Those who fell victim to this scheme would initially be redirected to a Facebook login page where it would show you the name of the entity you’re giving access to your social media account and the information that they would collect.
Based on the screenshot, the third-party application is called NeTflix (you’re right, it’s spelled correctly but it’s obviously not how Netflix write their brand) with a logo not updated and a privacy policy that redirects to a certain flixflix[.]xyz domain which is not related to the real corporate site of Netflix.
Further checking the information that this app would be getting from your Facebook account shows that it would only collect your name and profile picture. It also explicitly says that the app won’t post anything to your account.
If you continue to allow the app to have access to your account, you’ll be alerted by Facebook that the app logged in on your behalf. So far, at this point, we know that this malicious Netflix app could login to our Facebook account and keeps records of our name and profile picture.
If you’re purely innocent and just after the free Netflix access, you would answer the simple questions that flixflix[.]xyz (the website where you will be redirected after) will prompt you to do. Upon completion, it would ask you to share this promo to your friends (at this point, you will be redirected to another domain called flixa[.]xyz). This would just help spread the fake promo without you getting any access to that promised premium Netflix account.
Note that the malicious domains involved also varies from time to time. When we did our next test, the domain changed to flixu[.]xyz although the content remains the same. The IP address where all these domains are hosted belongs to 104.219.248.64. Passive DNS replication revealed hundreds of malicious domains. The most recent ones are related to Netflix scam (around 16) and COVID-19.
What to do?
If you’re one of those who clicked the link and allowed access to your Facebook account, update your password ASAP. Also, make sure to remove the app from your account by going to Settings > Apps and Websites then look for NeTflix. Tick on the box next to View and edit then click Remove.
If you have extra time, report the app directly to Facebook in hopes that they would take it down the soonest.
You can also report this to NBI Cybercrime Division online.
On our end, we have already reported the associated domains to security vendors for blocking. Better to ensure that your antivirus software are also updated.
Netflix Photo Credits: adweek.com
