A new phishing campaign has been targeting European users of the popular video streaming service Netflix. According to security researcher Jovi Umawing from Malwarebytes, the fake website – with the domain nefixx.co.uk – is nearly identical to that of netflix.co.uk, and even offers potential customers a "free trial." The malicious campaign prompts users for personal and payment information when supposedly signing up for the service, including their name, address, mobile phone number, date of birth and card number, as well as expiration date and security code.
Source: Malwarebytes Umawing notes the domain was registered days before being in the wild via the “Crazy Domains FZ-LLC” registrar – a tactic seen in a similar Netflix phishing campaign discovered in August last year. However, the new campaign differs in that it is believed to primarily target UK and European users, and can detect a visitor’s IP address. Umawing explained: "We believe that it then uses this data to double-check if the visitor has been on the site before via the following request: GET/email_identifier=71a605276e146b93e52b0c1bfb98ade285c337b0a6b7e5f3f560fd5bb11f1d1c/SecondVisit/index.php HTTP/1.1” The domain then retrieves its list of banned or blocked IP addresses for comparison. “Once confirmed that the visitor’s IP is already on the list, the domain then prevents the page from loading,” he added. Users are urged to be wary when receiving unsolicited email offers, as the campaign is known to direct users to the phishing site through bogus Netflix emails. “Phishing scams are always getting more elaborate and unfortunately, are very hard to block because they keep popping up on new domains, registrars, etc., truly making this a cat and mouse game between crooks and the security community,” wrote senior security researcher Jerome Segura.
“The best defence against these scams is awareness and suspicion from any email purporting to be from a company you deal with.”
