OFFICIAL SECURITY BLOG

Fraudulent Netflix site wants to leave you high and dry

August 29, 2014 | BY

We’ve seen countless fake pages purporting to be a bank or a popular shopping site that ask you for personal information.

This type of scam is called phishing and typically starts with an urgent-looking message in your inbox. Upon following the directions (typically clicking on a link), you’re taken to a page that looks like an exact replica of the genuine company.

Eric Lawrence, creator of the famous Fiddler web debugger, spotted a phishing attack targeting Netflix customers. Readers of this blog may remember a similar one we identified several months ago.

This new one is more sophisticated (better graphics, etc) although it does not have the tech support scam element but instead goes after your identity and wallet.

This slideshow requires JavaScript.

The bogus domain netflix-ssl.net (IP address: 176.74.28.254) was registered a few days ago through the “Crazy Domains  FZ-LLC” registrar.

whois2

The information requested on the phishing page includes name, address and credit card details. It’s sent back to the bad guys’ server with multiple POST requests such as the one below:

POST http://netflix.co.uk.account.validation-9247424908.netflix-ssl.net/email_identifier=71a605276e146b93e52b0c1bfb98ade285c337b0a6b7e5f3f560fd5bb11f1d1c/6cde9c162b263b123b5a6f7b9e39ef7d/Sessions/Paymentsess.php HTTP/1.1
Host: netflix.co.uk.account.validation-9247424908.netflix-ssl.net

nameoncard=&cardnumber=&expm=&expy=&securitycode=&accountnumber=&sortcode=&SubmitButton=Continue

Note the clever use of a long URL that resembles the genuine one and that may be particularly effective on mobile devices:

iphone5

We are reporting this site to the registrar and hosting company so that it can be taken down as soon as possible.

Phishing scams are always getting more elaborate and unfortunately very hard to block because they keep popping up on new domains, registrars etc. truly making this a cat and mouse game between crooks and the security community.

While many web browsers (Internet Explorer, Google Chrome, Mozilla Firefox) do have anti-phishing technology that blocks access to fraudulent sites, there often is a bit of a lag between the time a new site comes up and when it gets blacklisted.

The best defence against these scams is awareness and suspicion from any email purporting to be from a company you deal with.

There are some telltale signs to recognize phishing attacks such as poor grammar, spelling mistakes or obviously unrelated URLs as well as a general ‘urgency’ in the tone of the message.

@jeromesegura

 


  • The only T

    They will never give up….

    The best thing is to never click on a link in an email

  • Iona Erofeeff

    Or to right-click on the link, and select “Copy Link Location.” Then, paste it into word, your URL bar, or really any place you can paste it. Finally, you will see if the link is authentic. (Of course, if it isn’t, don’t follow the link.) Scammers use the ability to put any text to a link to their advantage.

  • Pingback: Fraudulent Netflix Site Wants To Leave You High And Dry - nickelberg

  • Pingback: Netflix phishing page hosted to steal credit card details | SecTechno

  • Pingback: Tech Thoughts Daily Net News – September 2, 2014 | Bill Mullins' Weblog - Tech Thoughts

  • Ben Drinkwater

    i do have a way to defeat the scammers just open up a new tab and go to the website the email was telling you by typeing it in and then do what the email told you to do

  • http://enria.org/ Zee Flynn

    Moral of the story? What on earth are you using lame Netflix for in the first place? There are substantially better services, offering a great deal more and a fraction to none of the price.

  • Eric Mazzi

    ??Why do you think your programs are exempt, they are just as much of a target there is no sacred ground here

  • http://en.wikipedia.org/wiki/Gordon_Gekko Thom J Greco

    The domain registration is a dead give away

  • Louie Guertin

    Monsieur, not everyone is zee Flynn.

  • Sydney

    What do you use?

  • Ograf

    Name one such service ?

  • Jay P.

    Please share these “better services” for us then.

  • ShinGokuraku

    “This is so simple even a liberal can do it.”
    “(this part is probably too difficult for a liberal)”
    Your condescending attitude toward people who think differently than you is sad. I’m sorry to say that to you. However, your advice is very sound and quite good! (even though it’s basic advice.)

  • Julie A. Dwight

    What I do is this: I hover my mouse over the link and read what it says in the bottom left corner. Also, last week, my friends name (exactly first and last name) showed up in my spam folder. I thought that was strange so I hovered my mouse over her name and it wasn’t her email address. It was some address I’d never seen before. So I told her (didn’t click anything within the email) and deleted it.