2018-03-22 - NETFLIX-THEMED PHISHING

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the email:  2018-03-22-Netflix-themed-phishing-email-1531-UTC.eml.zip   2 kB (2,153 bytes)
• Zip archive of pcap for the traffic:  2018-03-22-Netflix-phish-traffic.pcap.zip   794 kB (794,194 bytes)
• Zip archive of SAZ file for Fiddler capture:  2018-03-22-traffic-for-Netflix-phishing-site.saz.zip   305 kB (305,246 bytes)

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains:

• membership-webid934[.]com
• netflixusersupport.sysvalidate.safeguard.webid374-membership[.]com

 

EMAIL HEADERS

Received: from web[.]com ([140.82.32[.]95]) by [removed] for [removed];
     Thu, 22 Mar 2018 15:31:24 +0000 (UTC)
Received: from User ([104.207.131[.]25]) by web[.]com with Microsoft SMTPSVC(8.5.9600.16384);
     Thu, 22 Mar 2018 15:31:27 +0000
Date: Thu, 22 Mar 2018 15:31:26 -0000
MIME-Version: 1.0
Bcc:
X-Priority: 3
Return-Path: email@netflix.intl[.]com
Subject: Your Netflix Membership is on hold
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
Message-ID: <VULTR-GUESTdITblCBA000018f8@web[.]com>
From: " Netflix"< email@netflix.intl[.]com>
Content-Type: text/html;
     charset="windows-1251"
X-OriginalArrivalTime: 22 Mar 2018 15:31:27.0821 (UTC) FILETIME=[D84037D0:01D3C1F2]
X-MSmail-Priority: Normal

 

TRAFFIC

NETWORK TRAFFIC:

• 91.209.70[.]101 port 80 - membership-webid934[.]com - GET /membershipkey=9324832648389430184837738178348732   (link from the email)
• 91.209.70[.]101 port 443 - netflixusersupport.sysvalidate.safeguard.webid374-membership[.]com - GET /files/index.html   (HTTPS/SSL/TLS traffic to phishing site)

 

IMAGES

Shown above:  Screenshot of the phishing email.

 

Shown above:  Phishing page, a fake GoDaddy login site.

 

Shown above:  Traffic to the phishing page filtered in Wireshark.

 

Shown above:  Fiddler capture of the HTTP and HTTPS traffic.

 

Click here to return to the main page.