Merry Phishing Scam To You

Another day, another phishing scam. The reason we keep getting these is because they work. And they often work because aside from some details that can take a technical eye to notice, they look so authentic. I’m sharing this one that was attempted on me this morning — with no positive result for the scammers — because it looked particularly polished and more reasonably authentic than many I receive.

It started out with a strange-looking text from an unknown entity.

Examining the name of the sender, I saw the word “customs” and I thought I saw the word “dallas,” too. Normally I would ignore a cryptic text like this, but because I am expecting a package from China shortly, and Dallas is a city near me through which such a package might reasonably be routed, I clicked, despite being skeptical. (BTW, turns out the string I thought I first saw as “dallas” is actually “dalla”.)

The link took me to a page that looked like this:

click to enlarge

Pretty official looking, isn’t it? Glancing at the URL location bar in my browser, I saw this:

http://verify.netflix.up1.j4h2.us/notification.php?Notify=true&accID=oQnNROvwMclRMpiozYaHJDhBo

After giving me a minute or two to read the content, that page automatically forwarded to this page:

click to enlarge

Again, glancing at the URL locator bar, I saw this:

http://verify.netflix.up1.j4h2.us/personalprofile.php?Verify=true&accID=VhidlCjHJDCyvRGC

The pages look convincing, don’t they? And the setup also sounds reasonable. Except there are red flags all over the place. Other security-minded friends of mine might weigh in with other signals — and they are welcome to do so — but I want to cover the main items that made me recognize this as a phishing scheme immediately.

First, if you don’t already know this, let’s understand what a phishing scheme is: it’s an attempt to obtain your personally identifiable information so it can be used in any setting from accessing your online accounts, to getting credit cards in your name, and any number of activities in between.

In this case the scammer is using Netflix on the assumption that I have a Netflix account. Pretty safe assumption these days. The reality is they don’t care about my Netflix account, they care about what data they can scare me into giving them under the threat of losing access to my Netflix account. (But I’m about to watch the last episode of OZARK! I can’t lose access now!)

First thing I did was turn on my Apple TV — a separate device from my computer where the the phishing scheme was attempting to play out — and fired up Netflix. Sure enough, no trouble there. At this point I could have safely ignored the scheme and moved on.

I decided I wanted to document this one to publicize it, so I played it out to the point where the request for data entry started, just to get the screencaps for this post. At no point did I ever enter any data or passwords. This is critical. Never, ever, ever enter data or passwords UNLESS YOU INITIATE THE TRANSACTION.

That brings me to red flag #1 (for me): Neither Netflix, nor any other legitimate organization you do business with — and most especially your bank — will ever send you a communication by email or text or phone that requires you to enter personally identifiable information and/or passwords to “verify” yourself before continuing. Any communication about anything that serious — particularly from financial institutions, the IRS, etc. — would only ever be initiated by FIRST CLASS mail.

Additional red flags:

Gibberish, poor English, weird punctuation in messages and URLs

Let’s look at the original text message again:

A message that starts with an ellipsis enclosed in parentheses? What’s that all about? An exclamation point with a space before and after? And what the hell is up1.j4h2.us? The fact that the verify.netflix is prepended to that string of gibberish does not make it official. In fact, the gibberish virtually guarantees that it is not.

Again, normally the scam would have ended for me right here, but before I saw the reference to Netflix, I saw the reference to “customs” and thought of those gifts that are arriving from China shortly.

Let’s look at the URLs for the two resulting landing pages again:

http://verify.netflix.up1.j4h2.us/notification.php?Notify=true&accID=oQnNROvwMclRMpiozYaHJDhBo

http://verify.netflix.up1.j4h2.us/personalprofile.php?Verify=true&accID=VhidlCjHJDCyvRGC

Lots of gibberish with a few official sounding references in there, right? But don’t your Amazon URLs look the same way? Sometimes. The difference is your Amazon URLs, full of gibberish as they are, always have “amazon.com” somewhere in there. Any official URL from Netflix would have “netflix.com” amongst the gibberish. The presence of “verify.netflix” without “netflix.c0m” does not cut the mustard. (NB: “verify.netflix.com” would be legitimate if you actually land at a page with “netflix.com” in the location bar. Always keep an eye on what’s going on in the location bar, it’s very easy for bad actors to redirect your browser.

Asking for far more information than is required to fix the problem at hand.

In this case “Netflix” is allegedly reporting to me that someone is trying to access my account by brute force by trying password after password until they get it right.

A Brute Force Attack is the simplest method to gain access to a site or server (or anything that is password protected). It tries various combinations of usernames and passwords again and again until it gets in. This repetitive action is like an army attacking a fort. (source: cloudways.com)

First off, Netflix — like most other major internet platforms — enforces a limit on the number of password attempts within a period of time on a single device. This means you may be able to try again from another device, or it means you may have to wait 15 minutes to 24 hours to try again from any device. Whatever the timeout parameters, the purpose is to disrupt the brute force attempt and encourage the nefarious actor to move on to another activity.

The result of this enforcement would not be an email to you asking you to verify your information. It would mostly likely simply be a lockout for a period of time. You may find yourself forced to select a new password the next time YOU INITIATE A LOGIN attempt. You might receive an email alerting you of the attempt, but you would be advised to follow a normal login attempt to be guided through a password reset using information the website already has on file. You will never receive an email asking you to provide all this information requested on this page.

click to enlarge

Let’s look at this page again. Look what they are asking for:

Name
Address
BIRTHDATE
SOCIAL SECURITY NUMBER
MOTHER’S MAIDEN NAME
DRIVERS LICENSE NUMBER

What does any of this have to do with resetting a password? They’re not after your Netflix password. I think by now it’s clear what they are after: your identity.

In the absence of any context you would never simply give this information to anyone who asks. But they have created a false context in which it might feel right that they are verifying security information. But YOU DIDN’T INITIATE this communication, so there is nothing to verify on your part. THEY INITIATED THE COMMUNICATION which means, if anything, THEY NEED TO VERIFY WHO THEY are to YOU.

In reality, all of this information is interesting background to understanding the mechanics and psychology of phishing scams, but the real issue is this:

If you have not initiated the process or communication, you need not “verify” who you are to anyone. Any communication arriving spontaneously that asks you to verify who you are before proceeding is not legitimate. Don’t respond, except maybe to ask them to verify who the fuck they are to be asking for this information.

Remember, the only reason the scammers run these scams is BECAUSE THEY WORK. Don’t fall for them.