We are seeing quite a lot of Netflix phishing scams again recently. I have previously posted about these phishing scams but feel it is time to do an update with the latest version and the amount of personal, private and financial information they ask for. As you can see from the screenshots, I use the fake details of a well known public figure as an example with a known test credit card number that passes the phisher’s validation checks. All the information you give can be used to totally steal your identity and empty your bank and credit card accounts and frequently take over just about every other online account anywhere. This particular run of scam emails were sent from a 1&1 web/email account. I can’t tell from the email headers whether it more likely to be a compromised email account or whether the criminals have created an account ( normally using previously stolen credentials/ Identity and credit cards)
The stated sending email address in the from entry is fake. SSL.com is web site that sells SSL certificates. They are not involved in this scam in any way.
They use email addresses and subjects that will entice, persuade, shock or scare a recipient into reading the email and following the links.
You can now submit suspicious sites, emails and files via our Submissions system
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.
The email looks like:
From: Netflix <firstname.lastname@example.org>
Date: Thu 18/01/2018 23:26
Subject: Your Netflix Membership has been locked
We recently failed to validate your payment information we hold on record for your account,
therefore we need to ask you to complete a brief validation process in order to verify your billing and payment details.
Click here to verify your account
Failure to complete the validation process will result in a suspension of your netflix membership.
We take every step needed to automatically validate our users, unfortunately in this case we were unable to verify your details.
This process will only take a couple of minutes
and will allow us to maintain our high standard of account security.
Netflix Support Team
This message was mailed automatically by Netflix during routine security checks. We are not completely satisfied with your account information and required you to update your account to continue using our services uniterrupted.
If you follow the link in the email http://uid-netflix.com/validation_key=8204839994737494423837473/ ( random ID keys) you then get diverted to https://netflixuser-support.validate.safeguard5.uid-netflix.com/Files/Login.php where you see a webpage that looks identical to the Genuine Netflix log in page. The url ( web address) can be very easily mistaken for a genuine Netflix site and uses a free SSl certificate from Lets Encrypt.
After inserting an email and a password, you see this page asking for Name, Address, phone number and date of birth.
Then you arrive at credit card and bank accounts details, where they also ask for your Mother’s Maiden name as an additional security question
Next you get a success page saying your account has been updated
Then you get sent to the genuine Netflix home / log in page. It is very difficult for the average person to know whether the fake site is genuine or not
We all get very blasé about phishing and think we know so much that we will never fall for a phishing attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.
Email Headers & site details:
|126.96.36.199||Wayne||Pennsylvania||US||AS8560 1&1 Internet SE|
|188.8.131.52||DE||AS8560 1&1 Internet SE|
Received: from [184.108.40.206] (port=50662 helo=email.com)
by knight.knighthosting.co.uk with esmtp (Exim 4.89_1)
for email@example.com; Thu, 18 Jan 2018 23:25:58 +0000
Received: from User ([220.127.116.11]) by email.com with Microsoft SMTPSVC(7.5.7601.17514);
Fri, 19 Jan 2018 00:25:56 +0100
Subject: Your Netflix Membership has been locked
Date: Fri, 19 Jan 2018 00:25:57 +0100
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-OriginalArrivalTime: 18 Jan 2018 23:25:56.0960 (UTC) FILETIME=[B127D600:01D390B3]
uid-netflix.com was registered 18 January 2018 via a domain and website reseller/ affiliate ilovewww.com who appear to be connected to a Malaysian domain registrar and hosting company http://shinjiru.com.my who between them obviously aren’t doing enough checks on the validity of the registrants details. The phishing site is hosted on 18.104.22.168 which doesn’t directly track back to any known hosting company but does appear in the list of IPs used by http://www.igzp.com/ who state ” VPB.com global operation and maintenance server provider, set up a number of data centers in the world, independent host 7 * 24 hours technology, providing fully managed server technology.”
The listed registrants details are obviously fake. The address does not exist. The postcode is a genuine Edinburgh post code but the street address does not exist and doesn’t match the post code
Registrant Name: Debra Hopper
Registrant Street: 64 Fairview Terrace
Registrant City: Edinburgh
Registrant State/Province: Fife
Registrant Postal Code: EH1 3SA
Registrant Country: GB
Registrant Phone: +44.07829938849
Registrant Phone Ext:
Registrant Fax Ext:
Registrant Email: firstname.lastname@example.org