Researchers recently identified a phishing campaign set up to lure unsuspecting Netflix users into giving up their credentials and credit card data.
Netflix released Sleepy Puppy, a cross-site scripting payload management framework, to open source. The tool finds XSS vulnerabilities in secondary applications.
Sounds good, right? Especially in times when you just want to access Netflix U.S. for this one show but can’t because of licensing restrictions; or when everyone might be spying on you. Yes, now is the perfect time for a VPN (Virtual Private Network). Normally you have to pay for the service though. And that’s where Hola comes into play. Hola is a free Chome browser plugin and according to the ratings left on its’ Chrome page VERY popular.
So how come a service like this can afford to stay free? It’s pretty simple really: they sell your bandwidth. “When a user installs Hola, he becomes a VPN endpoint, and other users of the Hola network may exit through his internet connection and take on his IP. This is what makes it free: Hola does not pay for the bandwidth that its VPN uses at all, and there is no user opt out for this,” says Fredrick Brennan, the operator of 8chan in a note on his site. He continues: “Hola has gotten greedy. They recently (late 2014) realized that they basically have a 9 million IP strong botnet on their hands, and they began selling access to this botnet (right now, for HTTP requests only) at https://luminati.io. […] An attacker used the Luminati network to send thousands of legitimate-looking POST requests to 8chan’s post.php in 30 seconds, representing a 100x spike over peak traffic and crashing PHP-FPM.”
This is definitely not cool, but what does it mean for you? Well, if you are using Hola your connection will be used by other users to access pages in your country that are blocked for their IP but are available with yours. This is perhaps annoying, but not all that bad. But what of you IP might be one of those that get abused by people to perform illegal acts online?
Now is probably the best time to rethink using this specific free service.
The post Popular Free VPN Hola Sells Users Bandwidth for Botnets appeared first on Avira Blog.
Engineers at Netflix have released another one of the company’s bespoke security tools as an open-source application, this time an incident-response system known as FIDO. The tool is designed to help automate the process of incident response, and specifically it acts as a new layer that helps tie together existing applications by evaluating and assessing […]
The popular streaming service Netflix recently announced in their quarterly letter to shareholders that they plan to secure their entire service with HTTPS.
While some parts of Netflix already use encryption, such as the registration and payment services, the intention is now to encrypt the entire service for users on all platforms. This includes the data sent and received as part of the streaming service.
In October last year, Netflix said that they were investigating encrypting their entire service but claimed that it could cost them “$100’s of millions a year” to implement.
Netflix hasn’t explained exactly why they’ve done decided to roll out HTTPS, although sources speculate that the Snowden revelations have some part to play.
— Trevor Timm (@trevortimm) April 16, 2015
2014 was a watershed year for security with a number of high profile companies and individuals suffering cyber-attacks. The trend continued in 2015 and Netflix has followed the likes of Google to adopt HTTPS across more of their services.
Improving user privacy
As Netflix explained in their letter, the wider adoption of HTTPS “helps protect member privacy, particularly when the network is insecure, such as public wifi, and it helps protect members from eavesdropping by their ISP or employer, who may want to record our members’ viewing for other reasons.”
A flurry of news concerning Netflix in recent days has presumably motivated this recent phishing attempt, as scammers continue to pursue current events and breaking news stories to attract victims.
In the email is a red button “CLICK HERE TO VERIFY YOUR ACCOUNT” that leads directly to a replica Netflix login page, as well as pages that ask for personal details including Credit Card information.
Unsuspecting Netflix customers who are tricked into this process will not only divulge their account password (which they may have used elsewhere), but may also have their credit card details stolen and used for fraudulent purchases.
If you do receive a Netflix phishing email you should report it officially to Netflix by forwarding the message to [email protected]. Further information about keeping your Netflix account secure can be found here.
Until next time, stay safe out there.