2018-03-22 - NETFLIX-THEMED PHISH

ASSOCIATED FILES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains:

 

EMAIL HEADERS

Received: from web.com ([140.82.32.95]) by [removed] for [removed];
     Thu, 22 Mar 2018 15:31:24 +0000 (UTC)
Received: from User ([104.207.131.25]) by web.com with Microsoft SMTPSVC(8.5.9600.16384);
     Thu, 22 Mar 2018 15:31:27 +0000
Date: Thu, 22 Mar 2018 15:31:26 -0000
MIME-Version: 1.0
Bcc:
X-Priority: 3
Return-Path: email@netflix.intl.com
Subject: Your Netflix Membership is on hold
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
Message-ID: <VULTR-GUESTdITblCBA000018f8@web.com>
From: " Netflix"< email@netflix.intl.com>
Content-Type: text/html;
     charset="windows-1251"
X-OriginalArrivalTime: 22 Mar 2018 15:31:27.0821 (UTC) FILETIME=[D84037D0:01D3C1F2]
X-MSmail-Priority: Normal

 

TRAFFIC

NETWORK TRAFFIC:

 

IMAGES


Shown above:  Screenshot of the phishing email.

 


Shown above:  Phishing page, a fake GoDaddy login site.

 


Shown above:  Traffic to the phishing page filtered in Wireshark.

 


Shown above:  Fiddler capture of the HTTP and HTTPS traffic.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.