We’ve seen countless fake pages purporting to be a bank or a popular shopping site that ask you for personal information.
This type of scam is called phishing and typically starts with an urgent-looking message in your inbox. Upon following the directions (typically clicking on a link), you’re taken to a page that looks like an exact replica of the genuine company.
Eric Lawrence, creator of the famous Fiddler web debugger, spotted a phishing attack targeting Netflix customers. Readers of this blog may remember a similar one we identified several months ago.
This new one is more sophisticated (better graphics, etc) although it does not have the tech support scam element but instead goes after your identity and wallet.
The bogus domain netflix-ssl.net (IP address: 176.74.28.254) was registered a few days ago through the “Crazy Domains FZ-LLC” registrar.
The information requested on the phishing page includes name, address and credit card details. It’s sent back to the bad guys’ server with multiple POST requests such as the one below:
POST http://netflix.co.uk.account.validation-9247424908.netflix-ssl.net/email_identifier=71a605276e146b93e52b0c1bfb98ade285c337b0a6b7e5f3f560fd5bb11f1d1c/6cde9c162b263b123b5a6f7b9e39ef7d/Sessions/Paymentsess.php HTTP/1.1 Host: netflix.co.uk.account.validation-9247424908.netflix-ssl.netnameoncard=&cardnumber=&expm=&expy=&securitycode=&accountnumber=&sortcode=&SubmitButton=Continue
Note the clever use of a long URL that resembles the genuine one and that may be particularly effective on mobile devices:
We are reporting this site to the registrar and hosting company so that it can be taken down as soon as possible.
Phishing scams are always getting more elaborate and unfortunately very hard to block because they keep popping up on new domains, registrars etc. truly making this a cat and mouse game between crooks and the security community.
While many web browsers (Internet Explorer, Google Chrome, Mozilla Firefox) do have anti-phishing technology that blocks access to fraudulent sites, there often is a bit of a lag between the time a new site comes up and when it gets blacklisted.
The best defence against these scams is awareness and suspicion from any email purporting to be from a company you deal with.
There are some telltale signs to recognize phishing attacks such as poor grammar, spelling mistakes or obviously unrelated URLs as well as a general ‘urgency’ in the tone of the message.