ESET’s Lucas Paus looks at a new WhatsApp scam that is making the rounds. The fraudsters behind it claim that users can get Netflix free for a year.
The idea of watching a whole season of your favorite TV show or the latest movies online for free is extremely appealing. Fraudsters are all too aware of this, as we’ll show.
And it is obvious that cybercriminals are using Netflix – which has almost 100 million users – to spread their attacks, as it is one of the most popular ‘internet television networks” in the world today.
In this post, we look at how fraudsters are using this well-known brand as the hook for a new WhatsApp scam. Let’s analyze how this false campaign, which offers users free access to Netflix for a whole year, works, and also look at how it has ended up misleading thousands of people worldwide.
The initial message and its multiple false sites
First things first – if you have received messages from trustworthy WhatsApp contacts inviting you to gain free access to the service through a particular link, let me be clear …
Don’t do it! Don’t click on the link! Don’t share it! As we can see with the following images (in both the Spanish and English versions), the message appears to come from the Netflix.com domain. However, when users look at the shortened URL, they’ll notice that clicking on it will redirect them to another domain that is not related with the legitimate Netflix.com site:
The first click on the campaign takes the user to an external domain unrelated to Netflix, which curiously uses a trusted certificate as shown in the following image:
Just like Netflix, it is also multilingual
Another curious fact is that the page has the capacity to detect the language of the device and can change its language automatically. The following images show the same campaign in Spanish, Portuguese, and English:
The method used for this scam is similar to what we are used to. The page promises a year’s worth of services from Netflix, provided that the user shares the fraudulent link with at least 10 of their contacts.
Meanwhile, the page checks the number of times the user presses the share button, and if the target is not reached, opens another window requiring the victim to continue sharing the link.
Then, victims are redirected to pages that falsely claim that they are on the “final step” to achieve activation, when what is really happening is that the attackers are stealing information from users’ mobile phones for different types of subscriptions, or opening the system’s messaging application in order to send SMS messages to premium numbers with a certain text or even encouraging users to download applications from unofficial sites.
What should you do if you shared or clicked on the link?
First of all, stay calm. It’s important to understand that, contrary to what some people believe, this is not a “WhatsApp virus” as there is no executable file that is being downloaded and installed in the terminal when you access the page.
Although it is a potential risk, we have not found evidence that the fraudulent sites are attempting to exploit the vulnerabilities of the connected devices; so, in theory, there is no greater risk of infection by simply clicking on the link.
If you have shared the link with friends and family, follow these steps:
- Get in touch with them as soon as you can and let them know that it is a scam and to stop sharing the message.
- If you entered your telephone number into any form, as seen in previous images, get in touch with your telephone provider to ensure that you have not subscribed “without noticing” to a premium messaging service that charges a fee.
- Finally, if you have downloaded any applications onto your cellphone, uninstall them. If you can’t do this, get in touch with a professional who can do it for you and restore the device to its manufacturing settings.
Remember that you should think twice about these messages with shortened links and consider their trustworthiness before sharing. Given that the campaign is multilingual, it has the capacity to spread much faster, not only in Spanish-speaking countries but also in countries where English or Portuguese is spoken.
Likewise, it is important to notify any users that have sent you the link about the importance of not providing their mobile phone numbers to Premium SMS services. In this way, you can be a hero, not in your favorite online seasons, but in real life, by putting a stop to these malicious campaigns and enjoying more secure use of your technology.