2017-11-28 - FAKE NETFLIX LOGIN PAGES FROM PHISHING EMAILS

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-11-28-Netflix-phishing-email-tracker.csv.zip   0.6 kB (616 bytes)
• 2017-11-28-Netflix-phishing-messages-12-emails.txt.zip   3.8 kB (3,809 bytes)
• 2017-11-28-Netflix-phishing-login-page-traffic-1st-run.pcap.zip   704.3 kB (704,320 bytes)
• 2017-11-28-Netflix-phishing-login-page-traffic-1st-run.saz.zip   299.8 kB (299,849 bytes)
• 2017-11-28-Netflix-phishing-login-page-traffic-2nd-run.pcap.zip   681.9 kB (681,887 bytes)
• 2017-11-28-Netflix-phishing-login-page-traffic-2nd-run.saz.zip   301.2 kB (301,176 bytes)

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains:

• status-verify[.]com
• status-restore[.]com
• locked.netlfix.com.confirm.account.status-restore[.]com
• netsecure-cancel[.]com
• locked.netlfix.com.confirm.account.netsecure-cancel[.]com
• mynetflix-acc[.]com
• webcmd.netflixsupport.billingupdate.authlogin.mynetflix-acc[.]com

 

EMAILS AND URLS

EMAILS:

• Date time: as early as Sunday 2017-11-26 05:56 UTC through at least Tuesday 2017-11-28 01:16 UTC

• From: "NETFLIX"<noreply@netflix.service[.]com>
• Subject: Your Netflix Membership has been locked

• From: "NETFLIX"<noreply@netflix.serv[.]com>
• Subject: Your Netflix Membership has been cancelled

• From: " NETFLIX"< support@netflixupdate.serv[.]com>
• Subject: Your Netflix Membership is on hold

 

LINKS FROM THE EMAILS AND REDIRECTS FOR FAKE NETFLIX LOGIN PAGES:

• hxxp[:]//status-verify[.]com/restore/
• hxxp[:]//status-restore[.]com/goto/
• hxxps[:]//locked.netlfix.com.confirm.account.status-restore[.]com/Files/Login.php
• hxxp[:]//netsecure-cancel[.]com/serv/
• hxxps[:]//locked.netlfix.com.confirm.account.netsecure-cancel[.]com/Files/Login.php
• hxxp[:]//mynetflix-acc[.]com/validation_key=983897492374874811
• hxxps[:]//webcmd.netflixsupport.billingupdate.authlogin.mynetflix-acc[.]com/Files/Login.php

 

IMAGES

Shown above:  Screenshot of the spreadsheet tracker.

 

Shown above:  Screenshot from one of the emails.

 

Shown above:  Example of the fake login pages.

 

Shown above:  After you give up your login credentials, the phishers ask for more info.

 

Shown above:  Traffic from the 1st run as seen in Fiddler.

 

Shown above:  Traffic from the 2nd run as seen in Fiddler.

 

Click here to return to the main page.