2017-11-22 - NETFLIX PHISHING EMAILS
ASSOCIATED FILES:
- Saz file of the Fiddler capture: 2017-11-22-Netflix-phishing-traffic.saz 321 kB (320,976 bytes)
- Zip archive of the pcap: 2017-11-22-Netflix-phishing-traffic.pcap.zip 766 kB (765,810 bytes)
- 2017-11-22-Netflix-phishing-traffic.pcap (848,321 bytes)
- Zip archive of the emails: 2017-11-22-Netflix-phishing-emails.zip 21.4 kB (21,462 bytes)
- 2017-11-22-Netflix-phishing-email-1635-UTC.txt (6,463 bytes)
- 2017-11-22-Netflix-phishing-email-1636-UTC.txt (6,461 bytes)
- 2017-11-22-Netflix-phishing-email-1654-UTC.txt (6,439 bytes)
- 2017-11-22-Netflix-phishing-email-1659-UTC.txt (6,440 bytes)
- 2017-11-22-Netflix-phishing-email-1707-UTC.txt (6,439 bytes)
- 2017-11-22-Netflix-phishing-email-1715-UTC.txt (6,440 bytes)
- 2017-11-22-Netflix-phishing-email-1728-UTC.txt (6,446 bytes)
- 2017-11-22-Netflix-phishing-email-1729-UTC.txt (6,445 bytes)
- 2017-11-22-Netflix-phishing-email-1745-UTC.txt (6,445 bytes)
- 2017-11-22-Netflix-phishing-email-1802-UTC.txt (6,440 bytes)
- 2017-11-22-Netflix-phishing-email-tracker.csv (1,951 bytes)
NOTES:
- This appears to be the same thing I tweeted about last month on 2017-10-30 (link to tweet).
- At that time, I didn't document it in a blog post, so I'm doing it for today's emails/traffic.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains:
- Anything with authorize-eu.com as the domain suffix. For example:
- webcmd.netflixsupport.billingupdate.authlogin.authorize-eu.com
EMAILS
Shown above: Screenshot from the spreadsheet tracker.
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date/Time: Wednesday 2017-11-22 as early as 16:35 UTC through at least 18:02 UTC
- Subject: Your Netflix Membership is on hold
- From: " NETFLIX"< cust.service@netflix.support.com>
- From: " NETFLIX"< email@netflix.ssl.com>
- From: " NETFLIX"< service@netflix.intl.com>
TRAFFIC
Shown above: Fake Netflix login page.
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: Traffic from the infection as recorded in Fiddler.
NETWORK TRAFFIC FROM MY INFECTED LAB HOST:
- 190.14.38.55 port 80 - authorize-eu.com - GET /validation_key=983897492374874833/
- 190.14.38.55 port 443 (HTTPS) - webcmd.netflixsupport.billingupdate.authlogin.authorize-eu.com - fake Netflix login site
FINAL NOTES
Once again, here are the associated files:
- Saz file of the Fiddler capture: 2017-11-22-Netflix-phishing-traffic.saz 321 kB (320,976 bytes)
- Zip archive of the pcap: 2017-11-22-Netflix-phishing-traffic.pcap.zip 766 kB (765,810 bytes)
- Zip archive of the emails: 2017-11-22-Netflix-phishing-emails.zip 21.4 kB (21,462 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.