2017-11-28 - FAKE NETFLIX LOGIN PAGES FROM PHISHING EMAILS

ASSOCIATED FILES:

• 2017-11-28-fake-Netflix-email-tracker.csv.zip   0.6 kB (608 bytes)
• 2017-11-28-fake-Netflix-emails.txt.zip   3.8 kB (3,777 bytes)
• 2017-11-28-fake-Netflix-login-page-traffic-1st-run.pcap.zip   704 kB (704,312 bytes)
• 2017-11-28-fake-Netflix-login-page-traffic-1st-run.saz   321 kB (320,568 bytes)
• 2017-11-28-fake-Netflix-login-page-traffic-2nd-run.pcap.zip   682 kB (681,879 bytes)
• 2017-11-28-fake-Netflix-login-page-traffic-2nd-run.saz   323 kB (322,759 bytes)

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains:

• status-verify.com
• status-restore.com
• locked.netlfix.com.confirm.account.status-restore.com
• netsecure-cancel.com
• locked.netlfix.com.confirm.account.netsecure-cancel.com
• mynetflix-acc.com
• webcmd.netflixsupport.billingupdate.authlogin.mynetflix-acc.com

 

EMAILS AND URLS

EMAILS:

• Date time: as early as Sunday 2017-11-26 05:56 UTC through at least Tuesday 2017-11-28 01:16 UTC

• From: "NETFLIX"<noreply@netflix.service.com>
• Subject: Your Netflix Membership has been locked

• From: "NETFLIX"<noreply@netflix.serv.com>
• Subject: Your Netflix Membership has been cancelled

• From: " NETFLIX"< support@netflixupdate.serv.com>
• Subject: Your Netflix Membership is on hold

 

LINKS FROM THE EMAILS AND REDIRECTS FOR FAKE NETFLIX LOGIN PAGES:

• hxxp://status-verify.com/restore/
• hxxp://status-restore.com/goto/
• hxxps://locked.netlfix.com.confirm.account.status-restore.com/Files/Login.php
• hxxp://netsecure-cancel.com/serv/
• hxxps://locked.netlfix.com.confirm.account.netsecure-cancel.com/Files/Login.php
• hxxp://mynetflix-acc.com/validation_key=983897492374874811
• hxxps://webcmd.netflixsupport.billingupdate.authlogin.mynetflix-acc.com/Files/Login.php

 

IMAGES

Shown above:  Screenshot of the spreadsheet tracker.

 

Shown above:  Screenshot from one of the emails.

 

Shown above:  Example of the fake login pages.

 

Shown above:  After you give up your login credentials, the phishers ask for more info.

 

Shown above:  Traffic from the 2nd run as seen in Fiddler.

 

Shown above:  Traffic from the 1st run as seen in Fiddler.

 

FINAL NOTES

Once again, here are the associated files:

• 2017-11-28-fake-Netflix-email-tracker.csv.zip   0.6 kB (608 bytes)
• 2017-11-28-fake-Netflix-emails.txt.zip   3.8 kB (3,777 bytes)
• 2017-11-28-fake-Netflix-login-page-traffic-1st-run.pcap.zip   704 kB (704,312 bytes)
• 2017-11-28-fake-Netflix-login-page-traffic-1st-run.saz   321 kB (320,568 bytes)
• 2017-11-28-fake-Netflix-login-page-traffic-2nd-run.pcap.zip   682 kB (681,879 bytes)
• 2017-11-28-fake-Netflix-login-page-traffic-2nd-run.saz   323 kB (322,759 bytes)

Zip and saz files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.