Netflix Phishing Sent Via SMS

After a long time without update, here is a quick post about a phishing I received :)

Figure 1: SMS Message Containing Link To Phishing

In case you are not a tech savvy reader, and you don't see immediately that this a phishing, I will explain how I noticed.

Alarm no.1: The sender "NetSupport" - support for what? support for who? I never received SMS from them in the past, and I didn't expect to receive SMS from them, especially not one in English, which is not the language in my country.

Alarm no.2: The content - "Update your blabla ... account on hold ... http://link.to.phishing".

This is a classical phishing which you usually see in emails. Someone asks you to update some info and until you do so the account will be suspended, and they give you a link to update the info, which is the phishing page itself that harvest your data.

No business that respect itself would send you an SMS or Email with a request to update your info, if you do receive one, 99.99% it is a phishing, a respectful business would actually call you if there is an issue.

Alarm no.3: The link - bit.ly is a URL shortener, this is used so the URL wont be too long, but this is also abused by attacker to mask the real URL that the link point to, more on that later.

Once again, a respectful business, can buy a unique domain for URL shortening, bit.ly is highly abused by attackers.

However, as opposed to email phishing, in the SMS there is no indication what service or business sent the message, and bit.ly link doesn't help much to identify, so, lets click on the link :D

Figure 2: Network Traffic When Accessing The Link

As you can see, there is a series of redirects before we hit on the phishing page itself, the first redirect is obvious, converting the short URL form bit.ly to the real link, but it seem the attacker decided to go for some interesting approach, of using a "gate" and doing another redirect before going to the real link.

This is only assumption, but it is done most likely in order to make the campaign work for a longer time, if the phishing page will be flagged, he can change the gate to redirect to a new phishing page instead.

If this was not clear, the gate in this case is "https://interactivascollective.com/nt/" which seem to be a compromised site.

This gate however still doesn't redirect to the final phishing page, we have another redirect, which I suspect is used to personalize the phishing page for different victims from different countries, but I tries with 2 geolocations and got same final result, so I might be wrong, or was too lazy to find a geolocation with another unique phishing page/language.

In conclusion the "gate" redirect to the "login" gate, which redirect to the final phishing page "https://jlwebapps.com/login/signin.php?country=MD-Republic%20of%20Moldova&lang=en".

As can be seen in the URL it has parameters such as country and language, this page also seem to be hosted on a compromised website.

Finally we can see what the attacker is looking for:

Figure 3: Fake Netflix Login Page

The attacker was looking for our Netflix credentials!

You might ask yourself, what the hell??? Netflix is not that expensive, and there are multi user plans, so you can split the amount with a friend or relative.

The attacker is not actually looking for your Netflix account, there is a much higher risk here.

People tend to reuse passwords, they will try to get into your email and see if you have mails from financial institutes or banks, or whatever they might find interesting, the possibilities are endless and I won't list them because this would take forever and I would still miss out a few possibilities.

In the worst case scenario, the attacker would sell your Netflix account for a few dollars just to increase ROI (return of investment) from the campaign, if you saw some cheap Netflix accounts being sold on eBay, there is a high chance they are hacked accounts.

If all of this is still not enough to convince you this is a phishing page, another good indication you might be a phishing victim is:

Alarm no.4: The links on the page doesn't work - if you try to click on the "Sign up now" link, nothing would happen, attackers are usually lazy and don't the page fully functional, as they only interested in your credentials.

Stay safe!