Threat actors target a range of services often either due to credential resale value or to target higher value accounts in credential stuffing campaigns. Last month, WMC Global tracked three unique Netflix-branded phishing campaigns that resulted in over 390,000 unique URLs (Figure 1). These campaigns were solely distributed via text messages (SMS) to US mobile numbers. WMC Global’s analysis in the campaigns provides unparalleled visibility into Netflix-branded phishing attacks.
Figure 1: Sample Netflix-Branded Phishing Campaigns in August 2020
The Phishing Page
The same phishing kit was used across the three Netflix-branded campaigns. With this phishing kit, cataloged by KITIntel, consumers view a message explaining why they need to submit their login credentials and payment information again; this demonstrates a stark contrast to more traditional Netflix-branded phishing attacks that simulate the Netflix customer login environment.
The phishing site initially requires a user to enter their email address (Figure 2) and then proceeds to ask for the user’s address and name. This second page, continue.php, also displays the users IP address and email address which was entered on the first page (Figure 3).
Figure 2: Netflix-Branded Phishing Page, User Flow 1 | Figure 3: Netflix-Branded Phishing Page, User Flow 2
The final page of the phishing site asks the user to enter their payment card details (Figure 4). Upon completing the required data entry into the phishing page, the site hides the form input and notably does not redirect the user to the legitimate Netflix site, like many other phishing sites do.
.png?width=282&name=Screen%20Shot%202020-09-04%20at%205.40.57%20AM%20(1).png)
Figure 4: Netflix-Branded Phishing Page, User Flow 3
In all three campaigns, the phishing sites are configured so that only a consumer accessing the site using a mobile user-agent is routed to the phishing site. If accessed without a mobile user-agent, the site displays a 404 status page and does not reveal the phishing site to the consumer.
WMC Global first detected these large-scale SMS-based phishing campaigns targeting Netflix customers in early August--on the first day 1,093 unique URLs were identified. The text message content for the three campaigns was identical aside from each message having a unique URL. Padding each message with a unique URL gives the threat actor the ability to track whether or not a targeted phone number clicks on the phishing link. Shortly after the discovery of the initial campaign, a much larger campaign launched, taking the prize for largest SMS-based phishing campaign tracked by WMC Global to date.
Campaign #1
The initial campaign was launched in early August, and for the first few days it sent only one URL per day. However, on August 5th, the total number of unique URLs for this campaign exceeded 1,000. This was the start of a very notable campaign. The campaign continued to send out URLs and on August 6th the campaign sent out 6,424 unique URLs. The upward trend in the number of URLs sent per day continued throughout the month of August. The largest day of the campaign occurred on August 25th, where WMC Global detected over 95,000 unique URLs sent during one day via SMS channels (Figure 5).
Figure 5: Netflix-Branded Phishing URLs Sent via SMS in August 2020
The total number of phishing URLs sent via SMS during the initial August campaign was 385,759. Given the rise in usage of the Netflix platform in 2020, it is no wonder the popular streaming service has been the target of large campaigns.
This campaign leveraged over 200 unique domains to host all the phishing kits. The vast majority of the domains were hijacked domains; however, some were stood up for the campaign using services such as dynamic DNS providers.
Campaign #2
In the second campaign tracked by WMC Global, the URLs all contained distinctive PHP parameters enabling the team to efficiently track and monitor the campaign.
The first, and largest for this campaign, batch of URLs were sent out by the threat actor on August 3rd, totaling 1,464 unique URLs sent within a 24 hour period. The threat actors continued to send small volumes of URLs for the rest of the month, averaging 19 URLs a day.
In total, WMC Global detected 1,817 events related to this campaign over the month of August. This campaign consisted of 30 unique domains the threat actors leveraged to host their phishing kits.
Campaign #3
On August 20th, a third and final campaign activated. Threat actors sent out 3,360 unique URLs within a six hour period. Although this campaign was very short lived, it distributed a large volume of URLs as compared to other ongoing campaigns at the time. The change in URL design would constitute a change in tactics, techniques, and procedures (TTPs), which many threat intelligence teams and abuse desks could easily miss--a noteworthy shift in the campaign’s structure.
Conclusion
WMC Global observed a notable increase in SMS-configured and Netflix-branded phishing campaigns in August. The concurrent nature of the three campaigns and their utilization of the same phishing kit is intriguing, further to their differing volumes by campaign. Alongside the three campaigns outlined above, WMC Global tracked hundreds of small-scale and single site Netflix-branded phishing campaigns, which continue to propagate online targeting Netflix customers.
Indicators of Compromise
URL Regexes
Campaign #1
(https?:\/\/)?.*?netfl(i|x)?.*-\w{5,11}\.\w+-?(\.?\w+)*\/?$
Campaign #2
(https?:\/\/)?.*?(\.|-).*?netflix.*?\?\w{2,4}=\w{8,14}\/?$
Campaign #3
(https?:\/\/)?\w{3}-netflix\w{8}\..+?\..+?\/?$
50 Random URL Samples
Campaign #1
http://app[.]netflixorg-ecvpohojdh[.]workalert[.]io
http://app[.]netflixorg-ekpxslttiu[.]workalert[.]io
http://app[.]netflixorg-gnvflumith[.]workalert[.]io
http://app[.]netflixorg-hrmpylzhww[.]workalert[.]io
http://app[.]netflixorg-iqmljvwymm[.]workalert[.]io
http://app[.]netflixorg-iroquqvmrl[.]workalert[.]io
http://app[.]netflixorg-kunkvswtoq[.]workalert[.]io
http://app[.]netflixorg-losnxxwuyw[.]workalert[.]io
http://app[.]netflixorg-lzlkqkspmm[.]workalert[.]io
http://app[.]netflixorg-mjlzvyvkrv[.]workalert[.]io
http://app[.]netflixorg-motuvtpopr[.]workalert[.]io
http://app[.]netflixorg-mxvwmqnmuo[.]workalert[.]io
http://app[.]netflixorg-nrlvlskjto[.]workalert[.]io
http://app[.]netflixorg-osnmzssqlq[.]workalert[.]io
http://app[.]netflixorg-tlrpjhmphw[.]workalert[.]io
http://app[.]netflixorg-ustjqurytq[.]workalert[.]io
http://app[.]netflixorg-vimvygknle[.]workalert[.]io
http://app[.]netflixorg-vthzihhmvh[.]workalert[.]io
http://app[.]netflixorg-wqjysikvjy[.]workalert[.]io
http://app[.]netflixorg-xsvoystooz[.]workalert[.]io
http://app[.]netflixorg-yfyxjovpoy[.]workalert[.]io
http://app[.]netflixorg-zcqtpzovom[.]workalert[.]io
http://app[.]netflixorg-zowhythdyv[.]workalert[.]io
http://applnetflix-otemdoxee[.]hodgelegalservices[.]com
http://miss[.]netflix[.]com-gehdolgo[.]choftv[.]ma
http://miss[.]netflix[.]com-ikwjiyxh[.]choftv[.]ma
http://miss[.]netflix[.]com-jergqmot[.]choftv[.]ma
http://miss[.]netflix[.]com-jjymyjpq[.]choftv[.]ma
http://miss[.]netflix[.]com-kyowzpwg[.]choftv[.]ma
http://miss[.]netflix[.]com-nqlpever[.]choftv[.]ma
http://miss[.]netflix[.]com-orrxuklk[.]choftv[.]ma
http://miss[.]netflix[.]com-pmzjqprg[.]choftv[.]ma
http://miss[.]netflix[.]com-pyyvlxmt[.]choftv[.]ma
http://miss[.]netflix[.]com-qpunryfo[.]choftv[.]ma
http://miss[.]netflix[.]com-qtvxulns[.]choftv[.]ma
http://miss[.]netflix[.]com-qxounjwn[.]choftv[.]ma
http://miss[.]netflix[.]com-qxtpviwu[.]choftv[.]ma
http://miss[.]netflix[.]com-rnwpkxks[.]choftv[.]ma
http://miss[.]netflix[.]com-rprnmith[.]choftv[.]ma
http://miss[.]netflix[.]com-rqrpstqv[.]choftv[.]ma
http://miss[.]netflix[.]com-rvrtnjni[.]choftv[.]ma
http://miss[.]netflix[.]com-uuuqnrtt[.]choftv[.]ma
http://miss[.]netflix[.]com-ypnxypuv[.]choftv[.]ma
http://miss[.]netflix[.]com-ysqynylm[.]choftv[.]ma
http://miss[.]netflix[.]com-znctpkrz[.]choftv[.]ma
http://netflix[.]com-up---czomwgdl[.]onlineindus[.]tv
http://netflix[.]com-up---ehcaoify[.]onlineindus[.]tv
http://netflix[.]com-up---kciovuuc[.]onlineindus[.]tv
http://netflix[.]com-up---xmuwphvc[.]onlineindus[.]tv
http://netflix[.]com-up---ywffxaxo[.]onlineindus[.]tv
Campaign #2
http://invalid[.]netflix[.]tv-applauncher[.]br-pashot[.]com/?relx=fjhlecqr
http://invalid[.]netflix[.]tv-applauncher[.]br-pashot[.]com/?relx=ooiquxhx
http://invalid[.]netflix[.]tv-applauncher[.]br-pashot[.]com?relx=fjhlecqr
http://invalid[.]netflix[.]tv-applauncher[.]br-pashot[.]com?relx=ooiquxhx
http://launch[.]netflix-app-us-failedtopay[.]assurica[.]in?nop=ymvylkrjks
http://launch[.]netflix-app-us-failedtopay[.]assurica[.]in?nop=yqyjsjjotnt
http://launch[.]netflix-app-us-failedtopay[.]assurica[.]in?nop=yzslyuzktzk
http://launch[.]netflix-app-us-failedtopay[.]assurica[.]in?nop=zmuwsnxowsy
http://launch[.]netflix-app-us-failedtopay[.]assurica[.]in?nop=znsxjstionx
http://launch[.]netflix-app-us-failedtopay[.]assurica[.]in?nop=zsncfroabej
http://launch[.]netflix-app-us-failedtopay[.]assurica[.]in?nop=zzigswkolx
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=bpwsvztlq
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=ftplpvrhwk
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=fuvlhinv
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=iucmsusfm
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=jlswmtrtf
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=jurvoylkju
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=kyjwirrlp
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=mjwyxyhzuk
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=mtqyzqvmrm
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=muvrywzoplu
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=nhzgvrgfzo
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=ohgykswnh
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=oxmxtwxwvnw
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=qoizmvcjlz
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=qwsnkwwy
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=qxfmguuxiif
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=qxrjvymy
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=rwmurkzqv
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=siyojsjmwmw
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=smogsykgpq
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=srtuvorr
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=ugwmjqngq
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=vjtxlykiliw
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=xoxvvnnp
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=xqmxnklv
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=xyzlgywtx
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=yyisntviqfo
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=zjhpxxsulv
http://lnc[.]appnetflix[.]tv-failedattemp[.]dafnegangelt[.]de?del=zsjxiquig
http://lnch[.]netflixus-tv-linkyourtv[.]mologi[.]co?apx=ffqrahmxco
https://bioanda[.]ca/netflix[.]com?app=kjgizqqv
https://bioanda[.]ca/netflix[.]com?app=lecihltvzu
https://bioanda[.]ca/netflix[.]com?app=lonlmnoxnqrpzq
https://bioanda[.]ca/netflix[.]com?app=mfxspsyl
https://bioanda[.]ca/netflix[.]com?app=mphftgjzqqx
https://bioanda[.]ca/netflix[.]com?app=qzvjplxvlxskpo
https://bioanda[.]ca/netflix[.]com?app=skuqyrzoxpsp
https://bioanda[.]ca/netflix[.]com?app=sotuoprtwjtmjj
https://bioanda[.]ca/netflix[.]com?app=uwvmqrlvxoojnm
Campaign #3
http://rev-netflixdzmeeqez[.]farmaciasponza[.]it
http://rev-netflixdzmeeqez[.]farmaciasponza[.]it
http://rev-netflixetuqlcyx[.]farmaciasponza[.]it
http://rev-netflixetuqlcyx[.]farmaciasponza[.]it
http://rev-netflixflgfluqz[.]farmaciasponza[.]it
http://rev-netflixflgfluqz[.]farmaciasponza[.]it
http://rev-netflixihtzsimo[.]farmaciasponza[.]it
http://rev-netflixihtzsimo[.]farmaciasponza[.]it
http://rev-netflixiumpzrow[.]farmaciasponza[.]it
http://rev-netflixiumpzrow[.]farmaciasponza[.]it
http://rev-netflixiysitqvt[.]farmaciasponza[.]it
http://rev-netflixiysitqvt[.]farmaciasponza[.]it
http://rev-netflixkknnqnxk[.]farmaciasponza[.]it
http://rev-netflixkknnqnxk[.]farmaciasponza[.]it
http://rev-netflixlgitusje[.]farmaciasponza[.]it
http://rev-netflixlgitusje[.]farmaciasponza[.]it
http://rev-netflixljplxvpy[.]farmaciasponza[.]it
http://rev-netflixljplxvpy[.]farmaciasponza[.]it
http://rev-netflixltxletne[.]farmaciasponza[.]it
http://rev-netflixltxletne[.]farmaciasponza[.]it
http://rev-netflixmryumpur[.]farmaciasponza[.]it
http://rev-netflixmryumpur[.]farmaciasponza[.]it
http://rev-netflixnmqdigcg[.]farmaciasponza[.]it
http://rev-netflixnmqdigcg[.]farmaciasponza[.]it
http://rev-netflixohwubgfh[.]farmaciasponza[.]it
http://rev-netflixohwubgfh[.]farmaciasponza[.]it
http://rev-netflixpfructoz[.]farmaciasponza[.]it
http://rev-netflixpfructoz[.]farmaciasponza[.]it
http://rev-netflixpqkdlola[.]farmaciasponza[.]it
http://rev-netflixpqkdlola[.]farmaciasponza[.]it
http://rev-netflixqoghcrjk[.]farmaciasponza[.]it
http://rev-netflixqoghcrjk[.]farmaciasponza[.]it
http://rev-netflixqsssuxol[.]farmaciasponza[.]it
http://rev-netflixqsssuxol[.]farmaciasponza[.]it
http://rev-netflixqtuotjjs[.]farmaciasponza[.]it
http://rev-netflixqtuotjjs[.]farmaciasponza[.]it
http://rev-netflixrdjwxjvy[.]farmaciasponza[.]it
http://rev-netflixrdjwxjvy[.]farmaciasponza[.]it
http://rev-netflixrgixmzjj[.]farmaciasponza[.]it
http://rev-netflixrgixmzjj[.]farmaciasponza[.]it
http://rev-netflixrorohpov[.]farmaciasponza[.]it
http://rev-netflixrorohpov[.]farmaciasponza[.]it
http://rev-netflixrrujxprn[.]farmaciasponza[.]it
http://rev-netflixrrujxprn[.]farmaciasponza[.]it
http://rev-netflixrwxpopkr[.]farmaciasponza[.]it
http://rev-netflixrwxpopkr[.]farmaciasponza[.]it
http://rev-netflixsiwgiffl[.]farmaciasponza[.]it
http://rev-netflixsiwgiffl[.]farmaciasponza[.]it
http://rev-netflixsnzounzq[.]farmaciasponza[.]it
http://rev-netflixzzmhzfjv[.]farmaciasponza[.]it
