Disney+ Payment Email Scam Targets Businesses

A sophisticated phishing campaign is impersonating Disney+, targeting business users with fake payment update notifications. This multi-stage scam demonstrates how cybercriminals are leveraging trusted brand recognition and exploiting legitimate email infrastructure to harvest both login credentials and financial information.

The Threat Landscape

The campaign uses the display name "D+" with sender addresses appearing to come from notification(at)apigoo-syd(dot)lycamobile(dot)com(dot)au, while the actual sending infrastructure leverages Oracle's email delivery service with unique bounce addresses containing the recipient's email address. This technique makes the emails appear more legitimate and helps evade basic email filtering systems.

The subject line "Update your payment information to continue your subscription" creates urgency while appearing to come from a service many users recognise and trust.

How the Scam Operates

Stage 1: The Initial Email

The phishing email features Disney+'s authentic branding and logo, creating immediate visual credibility. The message warns recipients that their payment information needs updating to avoid service interruption, using language that mirrors legitimate subscription renewal notices:

"We want to make sure that you can still enjoy all the content of our service without interruptions. Currently, your payment information needs to be updated in order to maintain access to your subscription."

Stage 2: Credential Harvesting

Clicking the "Update payment details" button redirects victims to a convincing fake Disney+ login page hosted on emiratesflags(dot)ae. The page requests email and password credentials, with familiar Disney+ styling that closely mimics the legitimate service.

Stage 3: Financial Data Theft

After entering login credentials, victims are redirected to a "Secure Payment" page requesting complete credit card details including card number, expiration date, CVV, and cardholder name. The page maintains Disney+ branding throughout and includes typical payment security messaging to build confidence.

Stage 4: Data Processing

Following payment submission, the scam presents a loading screen before the process stalls, leaving victims uncertain whether their "payment update" was successful while their credentials and financial data are harvested by cybercriminals.

Red Flags to Watch For

Security-conscious users should be alert to several warning signs evident in this campaign:

• Email Infrastructure Anomalies: The sender domain apigoo-syd(dot)lycamobile(dot)com(dot)au bears no relationship to Disney's legitimate domains. Additionally, the complex bounce address structure through Oracle's email delivery service indicates compromised or misused infrastructure.
• URL Inconsistencies: The phishing sites use domains like emiratesflags(dot)ae that have no connection to Disney's official web presence. Legitimate Disney+ communications will only direct users to disney.com, disneyplus.com, or their regional equivalents.
• Generic Addressing: The email uses "Greetings," rather than personalising the message with the recipient's name or account details that Disney would legitimately possess.
• Urgency Without Context: While the message creates urgency about payment updates, it provides no specific account information or clear reason why immediate action is required.

Business Impact Considerations

For business environments, this type of credential harvesting presents multiple risks beyond individual account compromise. Employees who reuse passwords across personal and business systems may inadvertently provide attackers with pathways into corporate infrastructure. Additionally, harvested credit card information can lead to fraudulent charges and potential financial liability.

The professional presentation of this scam makes it particularly dangerous in business contexts where employees may be processing emails quickly and could mistake the polished phishing attempt for legitimate communication.

Technical Infrastructure Abuse

This campaign highlights how cybercriminals exploit legitimate email delivery services to enhance their credibility. By leveraging Oracle's email infrastructure, the attackers gain several advantages including improved deliverability, reduced likelihood of immediate filtering, and the appearance of coming from established technical infrastructure.

The unique bounce address structure containing recipient email addresses suggests a sophisticated operation capable of customising campaigns for each target, potentially indicating larger-scale threat actor involvement rather than opportunistic scamming.

Protecting Your Organisation

Given the convincing nature of this Disney+ impersonation, organisations should reinforce several key security practices:

• Implement robust email filtering that can identify infrastructure abuse patterns, not just domain-based threats.
• Train staff to verify sender authenticity through secondary channels when payment or credential updates are requested.
• Establish clear policies about which personal services employees can access through corporate networks and devices.
• Most importantly, encourage a culture where employees feel comfortable seeking IT security guidance when uncertain about email legitimacy, rather than feeling pressured to respond quickly to apparent urgency. 

Stay Safe, Know the Signs

MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.

Avoid emails that:

• Aren’t addressed to you personally.
• Are unexpected and urge immediate action.
• Contain poor grammar or miss crucial identifying details.
• Direct you to a suspicious URL that isn’t associated with the genuine company.

Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.

One Email Is All That It Takes   

All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.     

For a few dollars per staff member per month, you can protect your business with MailGuard's specialist, 'zero zero-day' email security. Special Ops for when speed matters!  Our real-time 'zero zero-day', email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.  

Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.