Introduction and an Email Address Tip
Trevor Collins recently blogged about a Netflix phishing attempt he caught on to. I received a phish-y Netflix email as well and I wanted to take the time to blog about the email to help add additional value of how to spot such emails. Earlier this week I also wrote about email spoofing and phishing, and what to look for in identifying such emails. Admittedly I use these steps for many – but not all – emails. However, seeing how easy it is to spoof, it’s best to break in a new habit and begin scrutinizing all emails coming in – personal or business.
One tip right off the bat: having multiple emails for various uses is a great filter system. For example, have a spam email address that you use to sign up for certain services, such as online shopping or public forums. You can have a separate personal email address that only you know and forward specific emails from the spam email address to or use it just for personal communications; just some thoughts. Of course, this introduces maintenance and additional steps. It’s up to you though, as the reader and user, to weigh the pros and cons in such cases.
On to the Point
Moving on, I will say that it just so happened to be that I received a legitimate Netflix email right before this phish-y Netflix email from an oddly named domain. This phishing email was fairly easy to catch, and you will see why as you read through this post and refer to the Figures within. Lastly, I urge all mobile users to follow these steps to decrease phishing email link click-throughs.
Let’s start with the legitimate Netflix email as seen in Figure 1. I did mask/remove my email from the image since it is a personal(-ish) email that I’d rather not get more spam in (pro tip: refer to intro section’s “spam email” mention). The subject line matches many other such emails that I get from Netflix, offering suggested movies or shows to watch. After expanding the email recipients, you’ll notice the “From” field and an email address of “info[@]mailer.netflix[.]com”. The “To” field was populated with my email address.
Figure 2 displays the phishing email’s subject line. Figure 3 displays an overview of the phishing email. Figure 4 shows the entirety of the phishing email’s body content. So far, based on these, I will say the subject line was a huge giveaway. It’s rather lengthy and in multiple languages. Further, two more things to note: one is the “Netflix Yesterday to…” text right by the purple-ish “N” image in both the legitimate email and the phishing email. The legitimate email shows “to me” while the phishing email says “to Netflix” – that’s odd.
One other focal point that may not be as obvious is Figure 2’s “Show pictures” and Figure 3’s “Always show pictures from this sender” messaging. In contrast to Figure 1, there is no message of this sorts. The reason for this is that I already opted to “Always show pictures from this sender” on legitimate Netflix emails as seen in Figure 1. The fact that this message appears is in itself another giveaway.
Up next, let’s check out the email recipients in Figure 5. The listed domains should be a dead giveaway at this point. Taking this fact into account along with the previous oddities, it should now be clear that this is not a legitimate email. I could do some more due diligence and dig further online to verify if Netflix has any sort of affiliate marketing or does messaging through 3rd party services, but that’s just extra work. The better option would be to directly log into my Netflix account using its known URL – “https[:]//www.netflix[.]com/Login”. From there, I can browse my account information and verify the phish-y email’s body content.
To top everything off, refer to Figure 6 for a preview of the embedded link. The URL is very funky looking, and I wouldn’t want to even follow that link! However, having had my interests piqued, I checked it out in a sandboxed machine. The full URL is “http[:]//dsfuidwsyfg98eryhgv9sieorhger09h-sdigh908ishdbnvgp9seor.acc0unts-movienetflix[.]info/Euwnmp2yb/kG5vUrbsagiSFNmiudu=CqxwGDVQtlj[@]hotmail.com”.
Figure 7 shows what happens when I followed the link on a sandboxed device running Chrome. Note that this was not performed on my mobile device.
Conclusion
From a personal standpoint, the main giveaway was that I received a legitimate Netflix email a few hours before receiving this phish-y looking Netflix email. After conducting my due diligence and scrutinizing the latter email, it became clear that this was indeed a malicious email. Putting the legitimate email aside, the subject line was the first oddity and then the email recipients. Those two factors alone would cause me to disregard this email in its entirety, not to mention that I am not that concerned with my Netflix account that I’d follow a link within this email. If I were concerned with my Netflix account, I’d rather use the known login screen which was returned from a simple online search query.
In completing the rest of the investigation, for security research purposes, the evident truth couldn’t be clearer – this phish-y looking email was indeed a malicious email! The rest of my investigation consisted of long-pressing on the embedded links to “Copy URL” and then pasting them in a plain text application to see what the URL looks like. We can further analyze the domain name and can confirm its deceptiveness, but to fully analyze this would be beyond the scope of this post – perhaps a future post.
All in all, I hope you, as the reader, were able to take a thing or two away from this post, along with the other linked posts as well. This whole process really shouldn’t take more than a few minutes. It’s a matter of opening the email, looking at the subject line, checking the email recipients, and long pressing on embedded links to copy the URL rather than clicking on the link to follow the URL. The mere minutes this took can save countless time in investigations and recouping a breached network or lost credentials.
Be safe and stay vigilant.