Disney+ Impersonated in Elaborate Multi-Stage Email Attack with Personalized Attachments

Brand impersonation has long been a favorite tactic of cybercriminals, who exploit the familiarity and reputation of well-known brands to deceive targets into providing sensitive information. Just last year, we discovered 265 different brands impersonated by threat actors in credential phishing attacks over only six months—demonstrating the wealth of trusted entities attackers have the ability to convincingly mimic.

But it’s not only financial institutions and social media sites that see their brands impersonated. In a recent multi-stage impersonation attack, threat actors posed as the popular streaming service Disney+ with impressive sophistication.

What sets this attack apart is the level of personalization and attention to detail employed by the perpetrators, making it difficult for traditional security solutions and even vigilant individuals to identify it as malicious. Based on initial research in late September, the threat actor targeted 44 individuals across 22 different organizations with this Disney+ impersonation attack.

The first step in this multi-stage attack is a seemingly auto-generated notification email informing the target of a pending charge for their new Disney+ subscription.

The message states that, per the contract signed during the initial registration process, the recipient will be automatically billed on September 21—the same day the notification was sent. The email continues by explaining that if the payment is authorized, no further steps are required. However, if the recipient did not approve this transaction, they can contact the support team.

Attached to each email is a PDF, the filename of which matches the name of the recipient—a personalization tactic that is not often seen, given the manual effort needed to do this for each email.

The content of the attachment is also personalized and contains details about the forthcoming charge, including the customer’s name, an invoice number, and the total amount to be paid of $49.99. Interestingly, this charge is far more than a basic Disney+ subscription of $7.99 a month or even the premium subscription, which runs $13.99 per month.

The PDF also contains the “customer support service” phone number that recipients can call to cancel the subscription. Should the recipient call the number, one of two things is likely to happen.

The first is they will be asked to provide sensitive information, such as banking details or login credentials, that the attacker can then use to either complete fraudulent transactions or compromise accounts. The other possibility is they will be given instructions for downloading software they are told is necessary to assist with stopping the charge but will actually infect their computer with malware.

Sending a malicious email about an unexpected impending charge with the goal of compelling the recipient to call a number included within the email is not necessarily a novel strategy. Indeed, we’ve been tracking phone fraud scams, often known as payloadless malware attacks, for several years. What is remarkable about this series of attacks is the level of sophistication and personalization the threat actors used.

For example, in the attack below, the threat actor sent the email from an ordinary Gmail address, used a generic subject line, referred to the target as “subscriber” in the greeting, and attempted no imitation of the Geek Squad branding.

In the Disney+ attack, on the other hand, the threat actor used a sender email of tv-disney@mail.tv-disney[.]com, which not only appears legitimate on its own but also mirrors the actual Disney+ email address, disneyplus@mail.disneyplus[.]com.

Additionally, the threat actor incorporated Disney+ branding and colors, while also personalizing the subject line and greeting of each email to the individual recipient. They even used the target’s name in the PDF filename and within the content of the bogus invoice which, as mentioned above, is an unusual tactic due to the manual effort required to do this for each email.

The emails are free of misspellings and have only a small number of minor grammatical errors. There are no phishing links, and the PDF contains no extra code or malware, so it can be safely downloaded without issue.

While some of the phrasing and word choices are a bit awkward, those could easily be overlooked—especially if the recipient is more concerned with determining how to cancel the unexpected charge. The attacker even went so far as to create a VoIP number with a Los Angeles County area code—where the Disney+ headquarters is located.

Claiming the total owed is $49.99 and that the charge will be completed the same day the email was received are also clever tactics. As of this writing, the most expensive Disney+ package is $13.99 per month. By telling the target they are hours away from being charged for an amount that is 3.5x the highest-cost subscription, the attacker increases the likelihood that the recipient will be quick to call the provided number to stop the transaction.

Another interesting thing to note is that while the language used in each email is similar and conveys the same message, it isn’t identical. This could be because the attacker is conducting a test to see which variation is the most effective. By monitoring which version elicits the most phone calls, they can identify which text to simply copy and paste into all future attacks.

The tactics used in these attacks pose a significant challenge for both traditional security solutions like secure email gateways (SEGs) and employees in recognizing them as threats.

In terms of the former, the emails have no malicious links or attachments, contain legitimate-looking content, utilize social engineering tactics, and are sent from a newly registered domain.

SEGs only flag messages with obviously malicious indicators of compromise (IOCs) and lack the functionality to detect the use of social engineering. Additionally, legacy security solutions rely on historical data to assess sender domain reputation, which means if an attacker uses a newly registered domain with no history, a SEG doesn’t have enough data to determine its trustworthiness. In short, because the emails contain no clear IOCs and because secure email gateways often prioritize avoiding false positives, these attacks would likely bypass a SEG.

For employees, the impersonation of a trusted brand, use of Disney+ branding, personalization to the recipient, and sense of urgency would make it particularly difficult for the average individual to identify the email as an attack. On top of that, since the message was sent to a company email address, recipients may be concerned that a corporate credit card is being charged with a personal expense. All of these elements combined make the perfect trap to trick almost any employee.

In contrast to a SEG, an AI-native email security solution uses machine learning, behavioral AI, and content analysis to detect the use of social engineering and brand impersonation and accurately flag these emails as malicious. It also takes into consideration the age of the sender’s domain, the fact the recipients have never received emails from this sender before, and the presence of a suspicious financial request.

By identifying established patterns of normal behavior and detecting these abnormal indicators, an AI-native email security solution like Abnormal can prevent this multi-stage attack from reaching inboxes.

Interested in learning more about how Abnormal can help your organization protect more, spend less, and secure the future? Schedule a demo today.