2017-11-22 - NETFLIX-THEMED PHISHING
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-11-22-Netflix-phishing-traffic.saz.zip 300.2 kB (300,218 bytes)
- 2017-11-22-Netflix-phishing-traffic.saz (307,529 bytes)
- 2017-11-22-Netflix-phishing-traffic.pcap.zip 765.8 kB (765,810 bytes)
- 2017-11-22-Netflix-phishing-traffic.pcap (848,321 bytes)
- 2017-11-22-Netflix-phishing-emails.zip 22.4 kB (22,430 bytes)
- 2017-11-22-Netflix-phishing-email-1635-UTC.txt (6,463 bytes)
- 2017-11-22-Netflix-phishing-email-1636-UTC.txt (6,461 bytes)
- 2017-11-22-Netflix-phishing-email-1654-UTC.txt (6,439 bytes)
- 2017-11-22-Netflix-phishing-email-1659-UTC.txt (6,440 bytes)
- 2017-11-22-Netflix-phishing-email-1707-UTC.txt (6,439 bytes)
- 2017-11-22-Netflix-phishing-email-1715-UTC.txt (6,440 bytes)
- 2017-11-22-Netflix-phishing-email-1728-UTC.txt (6,446 bytes)
- 2017-11-22-Netflix-phishing-email-1729-UTC.txt (6,445 bytes)
- 2017-11-22-Netflix-phishing-email-1745-UTC.txt (6,445 bytes)
- 2017-11-22-Netflix-phishing-email-1802-UTC.txt (6,440 bytes)
- 2017-11-22-Netflix-phishing-email-tracker.csv (1,951 bytes)
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains:
- Anything with authorize-eu[.]com as the domain suffix. For example:
- webcmd.netflixsupport.billingupdate.authlogin.authorize-eu[.]com
EMAILS
Shown above: Screenshot from the spreadsheet tracker.
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date/Time: Wednesday 2017-11-22 as early as 16:35 UTC through at least 18:02 UTC
- Subject: Your Netflix Membership is on hold
- From: " NETFLIX"< cust.service@netflix.support[.]com>
- From: " NETFLIX"< email@netflix.ssl[.]com>
- From: " NETFLIX"< service@netflix.intl[.]com>
TRAFFIC
Shown above: Fake Netflix login page.
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: Traffic from the infection as recorded in Fiddler.
NETWORK TRAFFIC FROM MY LAB HOST:
- 190.14.38[.]55 port 80 - authorize-eu[.]com - GET /validation_key=983897492374874833/
- 190.14.38[.]55 port 443 (HTTPS) - webcmd.netflixsupport.billingupdate.authlogin.authorize-eu[.]com - fake Netflix login site
Click here to return to the main page.