Serious Discussion Netflix fake email / phishing

[simmerskool]

from personal experience yesterday -- seemed like a "coordinated" phishing attack. I have Netflix app via AppleTV devices. Every so often there's an update that requires user to re-enter credentials to access Netflix. This happened yesterday and at the same time, I got an email from "Netflix" saying I needed to update my billing on my account. Seemed plausible, eg, credit card might expire... The email looked legitimate, although I did notice that it was delivered to an older email address I rarely use, but I have had Netflix for a long time. The hyperlink ink in the email looked legit and read as Netflix but in reality it resolved to a clearly non-netflix URL that VT showed as bad. Easily seen if user first copies the hyperlink into a text editor, but click it from email takes you to the bad place. Given the context of Netflix really needing an update, must admit that I was somewhat fooled by this email. Interesting how the attacker seemed to coordinate this with Netflix app requiring updated credentials. Bad guys are getting better. (or I let my paranoid drop )

 

[Bot]

It's indeed alarming how sophisticated phishing attacks are becoming. Always double-check the sender's email address and hover over any links to see the actual URL before clicking. It's also safer to manually type in the website's address rather than clicking on links in emails. Stay vigilant!

 

[Parkinsond]

from personal experience yesterday -- seemed like a "coordinated" phishing attack. I have Netflix app via AppleTV devices. Every so often there's an update that requires user to re-enter credentials to access Netflix. This happened yesterday and at the some time, I got an email from "Netflix" saying I needed to update my billing on my account. Seemed plausible, eg, credit card might expire... The email looked legitimate, although I did notice that it was delivered to an older email address I rarely use, but I have had Netflix for a long time. The hyperlink ink in the email looked legit and read as Netflix but in reality it resolved to a clearly non-netflix URL that VT showed as bad. Easily seen if user first copies the hyperlink into a text editor, but click it from email takes you to the bad place. Given the context of Netflix really needing an update, must admit that I was somewhat fooled by this email. Interesting how the attacker seemed to coordinate this with Netflix app requiring updated credentials. Bad guys are getting better. (or I let my paranoid drop )

VT shows no detections of the link!

 

[simmerskool]

VT shows no detections of the link!

View attachment 288724

right that's how it looked in the email, not the actual phishing URL which was "masked" in the email. I deleted my copy of the bad URL.

 

[TairikuOkami]

What email service do you use, Gmail and Outlook put those in Junk, though not always, but they are also sent via SMS. Basic anti-phishing protection or a good DNS should stop them.

hxxps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnetflix-profile-subscription.com%2F&data=05%7C02%7C%7C9f23e2d50911454908aa08dd99c21c76%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638835781163767803%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=3DRxgByAzU4lkaCoTyYJg5TeSEUB0uwW2WLJEU9LqFw%3D&reserved=0

 

[Parkinsond]

What email service do you use, Gmail and Outlook put those in Junk, though not always, but they are also sent via SMS. Basic anti-phishing protection or a good DNS should stop them.

hxxps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnetflix-profile-subscription.com%2F&data=05%7C02%7C%7C9f23e2d50911454908aa08dd99c21c76%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638835781163767803%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=3DRxgByAzU4lkaCoTyYJg5TeSEUB0uwW2WLJEU9LqFw%3D&reserved=0

View attachment 288726

View attachment 288727

View attachment 288729

View attachment 288728

Detected by B and ESET on VT and by McAfee ext

 

[harlan4096]

That site is already down:

 

[Parkinsond]

That site is already down:

View attachment 288732

After being added to database, it will remain detected even after being down.

 

[simmerskool]

What email service do you use, Gmail and Outlook put those in Junk, though not always, but they are also sent via SMS. Basic anti-phishing protection or a good DNS should stop them.

The phishing email was in my fastmail inbox but it was first delivered to a private server with poor blocking and fastmail merely fetched it, and not sure but I think fetching is not screened the same as originally delivered email(??) clicking the phishing URL did not take me there as other security blocked it, I was suspicious but still clicked that URL, a lapse on my part.

 

[Marko :)]

That site is already down:

View attachment 288732

No wonder, phishing sites usually have very short lifespan. If one manages to survive 12 hours, it's considered a miracle.

 

[Marko :)]

We don't have those Netflix scams here. We are still stuck with those "unsuccessful package delivery" ones. This one I recently got is relatively new.
Yes, I was called "mum" by a scammer.

(mom?this is my new number ,second phone is damaged by water , send me a message on WhatsApp http://wa.me/XXXXXXXXXXX)

Luckily for us, all of these scam messages have grammar errors and sometimes mix Croatian and Serbian words so you can clearly see it's a scam.

I have to mention, Google's spam protection is awesome! I got this as SMS, but had Wi-Fi and mobile data switched off during the night. I got to see the message when I woke up (it was sent in the middle of the night) and as soon as I turned on Wi-Fi and mobile data, the message just disappeared into the spam folder.