2017-11-22 - NETFLIX PHISHING EMAILS

ASSOCIATED FILES:

  • 2017-11-22-Netflix-phishing-traffic.pcap   (848,321 bytes)
  • 2017-11-22-Netflix-phishing-email-1635-UTC.txt   (6,463 bytes)
  • 2017-11-22-Netflix-phishing-email-1636-UTC.txt   (6,461 bytes)
  • 2017-11-22-Netflix-phishing-email-1654-UTC.txt   (6,439 bytes)
  • 2017-11-22-Netflix-phishing-email-1659-UTC.txt   (6,440 bytes)
  • 2017-11-22-Netflix-phishing-email-1707-UTC.txt   (6,439 bytes)
  • 2017-11-22-Netflix-phishing-email-1715-UTC.txt   (6,440 bytes)
  • 2017-11-22-Netflix-phishing-email-1728-UTC.txt   (6,446 bytes)
  • 2017-11-22-Netflix-phishing-email-1729-UTC.txt   (6,445 bytes)
  • 2017-11-22-Netflix-phishing-email-1745-UTC.txt   (6,445 bytes)
  • 2017-11-22-Netflix-phishing-email-1802-UTC.txt   (6,440 bytes)
  • 2017-11-22-Netflix-phishing-email-tracker.csv   (1,951 bytes)

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains:

 

EMAILS


Shown above:  Screenshot from the spreadsheet tracker.

 


Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

 

TRAFFIC


Shown above:  Fake Netflix login page.

 


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  Traffic from the infection as recorded in Fiddler.

 

NETWORK TRAFFIC FROM MY INFECTED LAB HOST:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.