Even companies with the best cybersecurity defenses available can be vulnerable to attack. That’s one of the major takeaways from a recent phishing attack that affected customers of Netflix and American Express.
The Windows Defender Security Intelligence team first publicized the attack March 19 on Twitter, saying: “Two massive, still-active phishing campaigns targeting Netflix and AMEX emerged over the weekend, the Office 365 Threat Research team has discovered. Machine learning and detonation-based protections in Office 365 ATP protect customers both campaigns."
American Express customers who click on a generic “Notice Concerning your CardMember Account” link are asked to download and fill out a form to confirm their records. The form asks for a lot of personal information, including ID and password, place of birth, mother’s maiden name and credit card information. The phishing campaign aimed at Netflix customers works much the same way, asking for credit card and billing information.
Phishing remains one of the most popular and effective attack vectors. The campaigns have become so sophisticated that even knowledgeable security personnel can fall victim, and scammers have the ability to send out thousands of phishing emails--while needing only one to work. And with the credentials of just one user, scammers may be able to bypass multiple layers of a company’s security controls.
Whether American Express and Netflix are to blame for lax controls is unclear. If these were non-targeted attacks (taking data from other breaches), neither would be to blame. But if the credentials were breached from American Express’ and Netflix’s networks, the companies would have to be held accountable, said Colin Little, senior threat analyst with Centripetal Networks.
Fernando Montenegro, a senior analyst for information security at 451 Research, said the recent incidents don’t look like attacks on Netflix and American Express; instead, they look like an attack against the public at large, he added.
“It looks like they are using those companies’ brands as part of a social engineering phishing campaign,” he said. “They are well-known brands, and there’s a high likelihood that many email addresses collected in other breaches … may coincide with people having a relationship with those brands.”
Montenegro said these attacks are a good reminder that a company’s brand can be misused, even if their own infrastructure is not under attack.
To avoid these issues in the future, Little recommends implementing a security awareness program, which can train users on how to identify phishing emails. He also recommends advising users that if they aren’t sure that an email is legitimate, they should try to address the issue through a separate channel.
“Start a new email chain with the Netflix help desk, for example, using an email address you obtain from the site,” he recommended. “Or address the inquiry using a different media, such as calling their vendor support line. Or open the applicable app on your smartphone and check credit or account status.”