2017-11-28 - FAKE NETFLIX LOGIN PAGES FROM PHISHING EMAILS
ASSOCIATED FILES:
- 2017-11-28-fake-Netflix-email-tracker.csv.zip 0.6 kB (608 bytes)
- 2017-11-28-fake-Netflix-emails.txt.zip 3.8 kB (3,777 bytes)
- 2017-11-28-fake-Netflix-login-page-traffic-1st-run.pcap.zip 704 kB (704,312 bytes)
- 2017-11-28-fake-Netflix-login-page-traffic-1st-run.saz 321 kB (320,568 bytes)
- 2017-11-28-fake-Netflix-login-page-traffic-2nd-run.pcap.zip 682 kB (681,879 bytes)
- 2017-11-28-fake-Netflix-login-page-traffic-2nd-run.saz 323 kB (322,759 bytes)
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains:
- status-verify.com
- status-restore.com
- locked.netlfix.com.confirm.account.status-restore.com
- netsecure-cancel.com
- locked.netlfix.com.confirm.account.netsecure-cancel.com
- mynetflix-acc.com
- webcmd.netflixsupport.billingupdate.authlogin.mynetflix-acc.com
EMAILS AND URLS
EMAILS:
- Date time: as early as Sunday 2017-11-26 05:56 UTC through at least Tuesday 2017-11-28 01:16 UTC
- From: "NETFLIX"<noreply@netflix.service.com>
- Subject: Your Netflix Membership has been locked
- From: "NETFLIX"<noreply@netflix.serv.com>
- Subject: Your Netflix Membership has been cancelled
- From: " NETFLIX"< support@netflixupdate.serv.com>
- Subject: Your Netflix Membership is on hold
LINKS FROM THE EMAILS AND REDIRECTS FOR FAKE NETFLIX LOGIN PAGES:
- hxxp://status-verify.com/restore/
- hxxp://status-restore.com/goto/
- hxxps://locked.netlfix.com.confirm.account.status-restore.com/Files/Login.php
- hxxp://netsecure-cancel.com/serv/
- hxxps://locked.netlfix.com.confirm.account.netsecure-cancel.com/Files/Login.php
- hxxp://mynetflix-acc.com/validation_key=983897492374874811
- hxxps://webcmd.netflixsupport.billingupdate.authlogin.mynetflix-acc.com/Files/Login.php
IMAGES
Shown above: Screenshot of the spreadsheet tracker.
Shown above: Screenshot from one of the emails.
Shown above: Example of the fake login pages.
Shown above: After you give up your login credentials, the phishers ask for more info.
Shown above: Traffic from the 2nd run as seen in Fiddler.
Shown above: Traffic from the 1st run as seen in Fiddler.
FINAL NOTES
Once again, here are the associated files:
- 2017-11-28-fake-Netflix-email-tracker.csv.zip 0.6 kB (608 bytes)
- 2017-11-28-fake-Netflix-emails.txt.zip 3.8 kB (3,777 bytes)
- 2017-11-28-fake-Netflix-login-page-traffic-1st-run.pcap.zip 704 kB (704,312 bytes)
- 2017-11-28-fake-Netflix-login-page-traffic-1st-run.saz 321 kB (320,568 bytes)
- 2017-11-28-fake-Netflix-login-page-traffic-2nd-run.pcap.zip 682 kB (681,879 bytes)
- 2017-11-28-fake-Netflix-login-page-traffic-2nd-run.saz 323 kB (322,759 bytes)
Zip and saz files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.