A quick search on Twitter reveals a large variety of Netflix phishing emails observed in the wild this week. There appears to be a large wave of these, possibly from many sources. Some of them are more advanced than others. Large news outlets, such as Fortune, have published warnings about the Netflix phishing scam.
This wave presents an opportunity to see a good example of some of the Phishing Attack Trends being observed in the wild. Also, it’s a good opportunity to use the Phishing Email Scorecard to practice evaluating how advanced these phishing emails are.
Netflix Phishing Email Examples
Below is an example with a generic greeting. Using the Phishing Email Scorecard, we scored this phishing email as Somewhat Advanced (the tipping point would be sender’s email address and the domains used, which can’t be observed from this screenshot.
— KG (@KSpade1120) September 8, 2017
This next example uses a slightly more personalized approach by being addressed only to the recipient, but as the attack target points out, there is an unnecessary hyphen in the Sender’s Name. In this example, however, the attacker used a realistic logo. So using the Phishing Email Scorecard, we scored this phishing email as Somewhat Advanced.
— Matthew (@MackTheMac) September 17, 2017
In this third example, unfortunately we’re given provided less information for creating a useful score because we’re lacking the Sender Name and Sender Email Address, and Subject Line. However, other aspects are more advanced. For example, the image is the correct logo, and there is a good use of formatting. The domain in the email is sufficiently deceptive because targets will see the word “Netflix” and frequently overlook the higher level domain being “net-effect (dot) info.” Notice also the probable use of some TLS / SSL encryption on the pharming (credentials harvesting) page because of the inclusion of HTTPS in the URL address. We can’t know for sure without clicking (not worth it!), but the user will likely receive indications of a “secure” connection in their browser because of the use of those encryption protocols, further adding to the advanced level of links used in the attack.
— 🌈🌈VOTE YES🌈🌈 (@thatblogchick) September 27, 2017
There are a large variety of Netflix phishing emails that appeared this week, and many of them are at least somewhat advanced, meaning that the likelihood of successful attack is increased. This intelligence, therefore, merits the publication of warnings and alerts by Netflix and the media.