Introduction
A new phishing campaign disguised as a Netflix job offer is stealing Facebook accounts from unsuspecting marketing and social media managers. By luring victims with fake employment opportunities, attackers are capturing login credentials in real time and using compromised accounts for advertising fraud.
How the Scam Works
Attackers begin by sending victims a job offer or sending messages to marketing and social media managers, often referencing actual positions at Netflix. The message directs the recipient to a malicious HR portal. Once there, they are asked to log in using their Facebook account to see internal pages. The login form is a spoofed Facebook page that communicates with a server via a WebSocket. This allows the attackers to capture the victim’s email, password and session cookies instantaneously as they are typed. If the account is protected by multi‑factor authentication, the scammers will request the one‑time code next.
According to a report by Moonlock, the attackers have been using the captured credentials to run unauthorized ads, propagate more scams and steal money from victims【164712413750521†L70-L133】. The campaign targets individuals who manage company Facebook pages or ad accounts, leveraging their elevated privileges to cause more damage.
Who Is at Risk
The scam specifically targets marketing and social media professionals, because their Facebook accounts often have administrative access to corporate pages and advertising budgets. If compromised, these accounts can be used to post malicious links, pay for ads or send scam messages to more victims.
Tips for Avoiding the Scam
- Be skeptical of unsolicited job offers, especially if they require you to log into personal accounts to view details.
- Double‑check domain names and URLs before entering your credentials. Netflix never requires Facebook login to submit or review job applications.
- Enable multi‑factor authentication on all social media and email accounts. Use app‑based authenticators rather than SMS where possible.
- Never share one‑time passcodes or multi‑factor codes over email or chat.
- If you receive an offer that seems legitimate, contact the company through official channels to verify.
Conclusion
Phishing attacks are becoming increasingly sophisticated, exploiting trust and urgency to trick victims into handing over credentials. The Netflix job offer scam shows how attackers can hijack session cookies in real time and bypass security controls. Staying vigilant, verifying opportunities and using strong authentication are essential to avoid becoming the next victim.
Sources
[1] Moonlock report on the Netflix job offer scam, explaining how attackers use a fake HR portal and WebSocket to steal Facebook credentials, target marketing managers, and run ads with stolen accounts【164712413750521†L70-L133】
redsec.ninja 
Leave a comment