Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Secure Phishing: Netflix Phishing Goes TLS

Published: 2018-06-20
Last Updated: 2018-06-20 09:35:19 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Phishing for Netflix accounts isn't new. But recently, I see a large number of phishing e-mails for Netflix that lead to sites with valid TLS certificates.

The attack starts with a compromised website. The phishing sites I have seen typically run "the usual" suspect CMS software like Wordpress or Drupal. I haven't had a chance yet to look at a compromised site that was used by this type of phishing attack, but I expect either an unpatched install or plugin or maybe just weak passwords. There is no indication that the attacks use anything "fancy". In some cases, attackers then also take advantage of wildcard DNS records for the domain. With a wildcard DNS record, *anything* will point to the same IP address. The attacker will just use a subdomain/hostname to launch the attack. But I have also seen them use specific domain names registered for the phish.

Next, the attacker obtains a TLS certificate for a hostname or the domain used in the phish. The hostname label is typically Netflix related. For example or The attacker will then use this hostname to trick users to visit the malicious site.

The e-mails that are used to trick the user are the weak part of this exploit in my opinion. For example, here is one that I received on Tuesday:

The e-mail was marked as spam, and the e-mail is not worded that well. In this case, the link went to hxxps://www. safenetflax .com , a domain registered just to impersonate Netflix. This domain no longer resolves.

Unlike the phishing e-mails, the websites look very much like the original. The only modification I can spot is that the alternative login methods like Facebook are missing. These methods would of course "spoil the phish." The attacker is interested in usernames and passwords.

The images below show the "real" and "fake" Netflix site:

Why do attackers go through the trouble? Netflix accounts are not particularly valuable. I have seen them offered from $0.20-0.50 per account, and the prices quoted on public visible sites are not always accurate. But on the other hand, this attack can be automated quite nicely. The exploits used to attack the hosting site is likely automated. Next, "certbot" and the ACME protocol makes it cheap and easy to get the TLS certificate.

I think the attacker actually made a mistake in using TLS. I found the sites pretty easily via certificate transparency logs, and I think Netflix, or someone else, is doing the same thing as I saw these sites often labeled as "deceptive" by Google's safe browsing feature, before the phishing part of the site was life. I doubt many users would notice if the site didn't use TLS.

Once a Netflix account is compromised, it can often be used for a long time undetected as Netflix allows multiple simultaneous streams for its standard and premium accounts. Unless the legitimate user gets "kicked off" for using too many streams, the legitimate user will never know that there is someone else using their account.


Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

PowerShell: ScriptBlock Logging... Or Not?
Jun 19th 2018
1 day ago by Xme (1 comment)

Malicious JavaScript Targeting Mobile Browsers
Jun 18th 2018
2 days ago by Xme (0 comments)

Encrypted Office Documents
Jun 17th 2018
3 days ago by DidierStevens (0 comments)

Anomaly Detection & Threat Hunting with Anomalize
Jun 16th 2018
4 days ago by Russ McRee (0 comments)

SMTP Strangeness - Possible C2
Jun 15th 2018
5 days ago by Lorna (5 comments)

A Bunch of Compromized Wordpress Sites
Jun 14th 2018
6 days ago by Xme (3 comments)

From Microtik with Love
Jun 13th 2018
1 week ago by Remco (1 comment)

View All Diaries →

Latest Discussions

Simple SMTP/network routing questions
created Jun 14th 2018
6 days ago by Anonymous (0 replies)

HTTP Headers Illicit Characters
created Jun 13th 2018
1 week ago by David (2 replies)

NagiosXI 5.2.6 – 5.4.12 unauthenticated exploit chain leads to root access
created May 11th 2018
1 month ago by Remco (0 replies)

MinerPool Threat Feed info
created Apr 4th 2018
2 months ago by Anonymous (0 replies)

DShield on RPi returns no mySQL when running /home/pi/install/dshield/bin/
created Mar 29th 2018
2 months ago by nekton89 (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
11 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
10 months ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
6 months ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
10 months ago by Xme (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
9 months ago by Renato (0 comments)