MX Lab, http://www.mxlab.eu, started to intercept a phishing campaign targeting Netflix users. This campaign is not only an attempt to steal the login and password credentials but also the credit card number.
The email comes with the subjects like:
Your Netflix membership has issues
Your Netflix membership has unresolved issues
This email is send from the spoofed address ” email@example.com” or “firstname.lastname@example.org”and has the following body:
We recently failed to validate your payment information we hold on record for your account, therefore we need to ask you to complete a brief validation process in order to verify your billing and payment details.
Click here to verify your account
Failure to complete the validation process will result in a suspension of your netflix membership.
We take every step needed to automatically validate our users, unfortunately in this case we were unable to verify your details. The process will allow us to maintain our high standard of account security.
Netflix Support Team
This message was mailed automatically by Netflix during routine security checks. We are not completely satisfied with your account information and require you to update your account to continue using our services uninterrupted.
Screenshot of the email:
The embedded URL “Click here to verify your account” will lead the user to the non secure web site hxxp://validation-useraccount2.com/. This page has a redirect towards the following host hxxp://netflixuser-support.validate-user.activation.safeguard.key.1uh3.cdn-sys1.com/1xAfRfPNksOXoXI5y5n7JrKll8F3Nf1NMXUAwGlVmiDOD7Z80tt4UiWKzjbQwKE1i/Files/Login.php that will handle the process.
After (fake) login, you are asked for your billing information.
Further on in the process, your credit cards details are asked.
Once all the information is gathered, you have the final screen in this process.
When clicking on the button, the visitor is taken to the official Netflix web site.
MX Lab recommends to check similar incoming emails carefully before opening the URL. Only trust https connections when submitting personal or sensitive information.