MX Lab, http://www.mxlab.eu, started to intercept a phishing campaign by email with the subject “Your Netflix Account Has Been Suspeded [#654789]”.
This email is send from the spoofed address “”email@example.com” <firstname.lastname@example.org>” and has the following body:
During a routine check of your account we have failed to validate the billing method we have on record for your account.
To continue using the Netflix service you will need to update/verify your billing information.
Please note that failure to complete the validation process will result in the suspension of your netflix membership.
We thank you for your understanding.
Netflix Billing Support
Screenshot of the email:
In our sample, the URL takes us to the phishing site located at hxxp://netflix-validation-uk.co.uk/~netflix/authcode.22e2839f6ea44972845f1e0b02f397ba/email_identifier=71a605276e146b93e52b0c1bfb98ade285c337b0a6b7e5f3f560fd5bb11f1d1c/d0446fac4ba6feceb507af17e1b0bca8/Login.php
This shows us an identical copy of the official Netflix login page.
Screenshot of the member login form on the phishing web site:
After submitting the login and password, the phishing process begins by asking to fill in our billing information.
Followed by filling in our credit card details
Our account seems to be updated and we can continue….
…. straight to the official Netflix login site