Recently, researchers of SANS Technology Institute warn about a new Netflix phishing scam which leads victims to sites with the valid Transport Layer Security (TLS) certificates.
On Wednesday, the Johannes Ullrich, dean of researchers at the SANS Technology Institute, said that there had been an upmark in the Netflix phishing emails scam by using the TLS-certified sites.
Johannes Ullrich also added some bad actors behind the phishing attacks would take benefits of unpatched plugins or installs, or by using the weak passwords, only to compromise common-suspect CMS software, like Drupal or WordPress. From there, they can easily create some phishing sites that might be mistaken for the real Netflix domains. In some instances, they are using wildcard DNS records.
The researcher also said on the blog post, with the use of a wildcard DNS record, *anything.domain.com will point directly to the similar IP address. The attackers will use a hostname/subdomain to start the attacks. But the researcher has also seen them by using some specific domain names which are registered for the phish.
However, the attacker can obtain a TLS certificate for a hostname which is related to Netflix, like netflix.login.domain.com or netflix.domain.com; it helps the site in escaping being flagged by safe-browser software.
Ullrich also said that the initial spoofed emails are the weakest part of the campaign, and it is very easy to spot.
He also added their words on a blog post that the email was marked as spamming, and is not worded that well. In this case, the link went to the hxxps://www.safenetflax.com; this domain registered only to impersonate Netflix. This type of domains is no longer resolves.
After clicking on the given link, Ullrich found that the websites will appear authentic and seem similar to the real Netflix, he said that there is only one modification which he can spot is that the alternative login methods like Facebook are missing.
Whereas the Netflix accounts are not particularly important, but the Ullrich said that he had seen them to offered $0.20-0.50 per account, the attack might be tempting to cyber-criminals as it can be easily automated and also very hard for the victims to spot.
If a Netflix account is compromised, then it can frequently be used for a long time undetected as Netflix allows the multiple simultaneous streams for its standard and the premium accounts, said by Ullrich in their blog post. Unless the genuine user gets ‘kicked off’ for using too many streams, the reasonable user will never know that there is someone else who is using their account.”
Over the years, the technique of using the TLS for phishing attacks has been considerably increased; last year, Zscaler said that they saw 400 percent boost in phishing attempts which delivered with SSL/TLS over 2016.
Deepen Desai, the director of security research at Zscaler said in a post about the drastic increase in the percentage; some hackers are posting phishing pages on valid domains that they have compromised. Many of these legitimate sites was supporting the SSL/TLS, and there are few network security solutions which can support the inspection of encrypted packets at scale.
However, Ullrich also mention in their post that ultimately the bad actor could have made a mistake by using TLS; as it is easy for Netflix or even for others to find the sites through the certificate transparency logs easily; and he doubts that many of the users would notice if the site did not use TLS.
Though the Netflix phishing campaigns have been continuing for years, but on a recent new range of fake email and some malicious links appear to have cropped up, with a variety of law enforcement advice citizens to be lookout for the scams.
A wave of police forces in Canada, for instance, has recently warned the public of a phishing scam that engages bad actors to impersonate Netflix to acquire victims banking information
Netflix, for its part, suggests the users to avoid clicking links which are sent via email; and that they have reported any distrustful messages through its official website.
Source : Norton.com/setup