Scammers target jobseekers in marketing and social media roles by impersonating Netflix recruiters and sending plausible emails from domains like talents[at]netflixtalentnurture[dot]com. The email invites recipients to schedule an interview and prompts creation or sign-in to a Netflix 'Career Profile' through a scheduling link. The sign-in flow offers 'Continue with Facebook' or 'Continue with Email,' both leading to a spoofed Facebook login where entered credentials are captured. Attackers who obtain credentials can access real Facebook accounts, potentially bypass two-factor authentication depending on the method, and then use employer business accounts to run malicious ads, demand ransom, or spread scams.
This campaign begins with an email that appears to come from the recruitment team at Netflix. It starts with some flattery and goes on to describe an opening for a leadership role, such as the VP of marketing, that's likely to make sense for the recipient. The screenshot from Malwarebytes Labs shows the sender's email address as talents[at]netflixtalentnurture[dot]com, which, while not Netflix's official domain, is somewhat plausible.
This scam probably isn't much of a threat unless you respond to the initial email. You shouldn't-but if you did, you'd get a second message with an invitation to schedule an interview with the "Netflix HR team." Clicking through the scheduling link will pull up (fake) interview slots to choose from, and if you select one, you'll be prompted to create or sign into your Netflix "Career Profile" account.
This is where the risk increases significantly. You can select either "Continue with Facebook" or "Continue with Email," both of which will lead you to a spoofed Facebook login screen. If you enter your credentials, the attackers now have them and can log into your real Facebook account instantly. If you have two-factor authentication set up for Facebook, they can even request and enter your code depending on the method you use.
Collection
[
|
...
]