A scam campaign hitting WhatsApp users promises a free one-year subscription to Netflix, but instead steals personal information from the target, security researchers at ESET discovered.
The fraudulent promotions come in the form of text messages from familiar accounts, and attempt to gain access to as many facets of a victim’s smartphone as the user will allow, including contacts and device information.
Users who have been hit with the Netflix scam often receive the offer of one year free from a user in their contacts list. The message includes a link that appears to direct to the official Netflix.com domain, but the actual destination is obscured by a URL shortener. Expanding the URL reveals that it is hosted at a domain totally unrelated to Netflix.
Clicking the link directs the user to a webpage that may seem legitimate, as it has a trusted certificate that usually would indicate the site is valid. It even detects the language of the device and displays the contents in the user’s language.
Despite giving off the appearance of authenticity, the offer on the page is fake. Once users click to try to claim the offer, they are encouraged to share the link with 10 of their friends, who will then get sucked into the same scam.
The knockoff Netflix site uses a tracker to count how many times a person clicks the “share the link” button to verify it is sent to 10 people. The scam won’t proceed until the user spreads the fraudulent link to their contacts.
Once the link has been shared and the scam sufficiently spread, the domain will take the user to the “final step” to unlock the supposed promotion. Instead, the final step consists of the scam site stealing user information.
The page can collect data like mobile numbers, gain access to the messaging system and encourages users to download apps from untrustworthy sources, likely with the intention of stealing more information. Once the scam site has the user’s cell phone number, it will sign the user up for a number of subscription services.
Security researchers at ESET noted there is no executable file or download associated with this attack, so there is no apparent risk of installing a virus or exploitable file onto a device by clicking the link in the scam messages.
However, the campaign still poses plenty of risks for those who fall for it — and anyone in a victim’s contacts.
ESET’s experts advised users who see the scam to get in touch with the friend who sent the link and tell the mark to stop sharing the message. People who entered their telephone numbers should contact the service providers and make sure they have not been registered for any services without their knowledge. Any apps installed from a page associated with the Netflix scam should be uninstalled immediately.
Given WhatsApp has more than 1 billion users and Netflix, with more than 100 million of its own, is a popular service, it’s obvious why such a fraudulent campaign could be tempting to a user and why it’s so effective for scammers. It’s not the first time a scam has spread on WhatsApp, nor the first time Netflix has been used as bait for users who don’t know better.