Through FireEye’s Email Threat Prevention (ETP) solution, FireEye Labs discovered a phishing campaign in the wild targeting the credit card data and other personal information of Netflix users primarily based in the United States.
This campaign is interesting because of the evasion techniques that were used by the attackers:
- The phishing pages were hosted on legitimate, but compromised web servers.
- Client-side HTML code was obfuscated with AES encryption to evade text-based detection.
- Phishing pages were not displayed to users from certain IP addresses if its DNS resolved to companies such as Google or PhishTank.
At the time of posting, the phishing websites we observed were no longer active.
The attack seems to start with an email notification – sent by the attackers – that asks the user to update their Netflix membership details. The phishing link inside the email body directs recipients to a page that attempts to mimic a Netflix login page, as seen in Figure 1.
Figure 1: Fake login page mimicking the Netflix website
Upon submitting their credentials, victims are then directed to webpages requesting additional membership details (Figure 2) and payment information (Figure 3). These websites also attempt to mimic authentic Netflix webpages and appear legitimate. Once the user has entered their information, they are taken to the legitimate Netflix homepage.
Figure 2: Fake webpage asking users to update their personal details
Figure 3: Netflix phishing webpage used to steal credit card information
Figure 4: Client-side code obfuscation using AES encryption
Figure 5: PHP code used at server side for encryption
Another technique is the host-based evasion, as seen in Figure 7. The host name of organizations such as ‘phishtank’ and ‘google’ are blacklisted. The host name of the client is compared against a list of blacklisted host names. If there is a match against the blacklist, a “404 Not Found” error page is presented.
Figure 7: Server side code for blacklisting known hosts. Click image to enlarge.
As with the majority of phishing attacks, this campaign uses PHP mail utility to send the attacker the stolen credentials. The advantage of using this technique is that the attacker can host their phishing kits on a number of websites and still get the stolen credentials and other information from a single email account. This enables attackers to extend their reach.
Figure 8: Stolen information is sent to an email address using mail() function
Tips to Secure your Netflix Account
To learn more about securing your Netflix account, Netflix provides additional information on how to keep your account safe from phishing scams and other fraudulent activity at https://www.netflix.com/security.