Each Blox Tale will take a look at a targeted email attack, outline why it made its way into an inbox, and highlight how Armorblox was able to detect the attack. In this blog, we’ll focus on a credential phishing attempt where attackers sent an email resembling a Netflix billing failure. Clicking the email link took targets to a functioning CAPTCHA page with Netflix branding. Correctly filling in the CAPTCHA information led to a fully fledged Netflix lookalike site with a phishing flow that aimed to steal login credentials, billing address information, and credit card details.
A summary of the attack flow is given below:
Fig: Summary of the Netflix credential phishing attack
A few weeks ago, we saw a credential phishing attempt to land in multiple customer inboxes. This email claimed to come from Netflix Support, informing readers of a billing problem due to a failure in verifying personal details. The email claimed that the target’s subscription will be cancelled if they don’t update their details within 24 hours, furthering the sense of urgency. When targets clicked the link, they were led to a fully fledged Netflix lookalike website with a phishing flow that asked them to part with their Netflix login credentials, billing address, and credit card details. Once the phishing flow was complete, targets were redirected to the real Netflix home page, none the wiser about being compromised.
A screenshot of the email is given below:
Fig: Email where attackers impersonate Netflix and share a link to update account information. Some Armorblox detection highlights are included in the screenshot.
Why The Attack Got Through
This email got past existing email security controls (Office 365 Exchange Online Protection) because it didn’t follow the tenets of more traditional phishing attacks.
1. Functioning CAPTCHA redirect to increase legitimacy, obfuscate link detection
Upon clicking the email link, targets are first led to a fully functioning CAPTCHA page with subtle Netflix branding (black background, red buttons). Upon entering the correct alphanumeric sequence, targets are led to the main phishing site. A functioning CAPTCHA page makes the entire communication seem more legitimate. The inclusion of CAPTCHA also makes it harder for security technologies relying just on URL redirection abilities to follow the URL to its final destination. Screenshots of both CAPTCHA pages are given below:
Fig: Functioning CAPTCHA page starts the phishing flow.
2. All pages hosted on legitimate domains
Both the phishing pages in this attack flow - the CAPTCHA page and the Netflix lookalike site - were hosted on legitimate web domains. The URL of the CAPTCHA page was ‘https[:]//wyominghealthfairs[.]com/cpresources/d3835d8b/1/’, which now leads to an error page. The parent domain of this URL - wyominghealthfairs[.]com - belongs to a real organization that’s unrelated to Netflix or the attack in general.
Fig: The parent domain of the CAPTCHA page is an unrelated (and legitimate) website.
The main Netflix lookalike site is hosted on the ‘axxisgeo[.]com’ domain, which belongs to an oil and gas company based out of Texas. This domain is also unrelated to Netflix and the attack. The WhoIs record is given below:
Fig: WhoIs record details for the parent domain of the Netflix lookalike site.
By hosting phishing pages on legitimate parent domains, attackers are able to evade security controls based on URL/link protection and get past filters that block known bad domains. Attackers likely exploited vulnerabilities in the web server or the Content Management Systems (CMS) to host these pages on legitimate parent domains without the website admins knowing about it.
3. Lookalike website with full phishing flow
Once targets get past the CAPTCHA page, they land on the main phishing site resembling the Netflix login page. Upon closer inspection, it’s evident that the parent domain is not ‘Netflix[.]com’ and that all links (‘Need help?’, ‘Login with Facebook’, ‘Sign up now’) on the page just reload the same page again. But the attackers are banking on people to fall prey to the superficial similarity of the phishing site to Netflix’s website.
Fig: Phishing site resembling the Netflix login page.
Once targets fill in their login details, the phishing flow continues with screens asking targets to update their billing information and credit card information respectively. These next few screens look a lot like something you’d see on legitimate streaming websites; this superficial legitimacy enables attackers to harvest their targets’ billing addresses and credit card information in addition to their Netflix account details.
Fig: Phishing flow asking targets to fill in their billing address.
Fig: Phishing flow asking targets to fill in their credit card information.
Once the targets have filled in all their information, the phishing flow ends with a message of ‘success’ and an automatic redirection to the real Netflix homepage. This redirection may make people shrug their shoulders and log in to Netflix again (but for real this time), unaware that they’ve just been phished.
4. Socially engineered
Unlike spray-and-pray email fraud attempts, this email was expressly created and sent to trigger the required response. The email title was ‘Notice of Verification Failure’, which isn’t exactly how a Netflix email sounds but still ‘robotic’ enough for readers to assume that it came from Netflix Support. The email language and topic was intended to induce urgency owing to its punitive nature (cancellation of the Netflix subscription). The call to action - Click here to update your information - is simple and effective. The email claims that the reader’s subscription will be cancelled if they don’t update their details within 24 hours, furthering the sense of urgency.
Fig: Email header showing the email title and sender domain.
How Armorblox Detected The Attack
Armorblox was able to detect the email attack based on the following insights:
1. Language, intent, and tone
Armorblox language models have been trained on tons of data and further customized to suit every customer environment. These models analyzed the email body and detected that there was an unusual request made in the email (which is a common trait in business email compromise attacks). Armorblox language models also detected a sense of urgency used in the email, which is uncommon for support emails from streaming providers.
2. Low communication history
Armorblox detected that the sender email in question had a low communication history with the target’s email account. While not a violation in itself, this insight is critical when compared with other unusual signals and can catch highly targeted attacks.
3. Low domain frequency
Armorblox ML models have three tiers - a global model, an organization-specific model, and a mailbox-specific model. While the mailbox-specific model was able to detect low communication history between the sender and the receiver, the organization-specific model also detected that the attacker’s domain had not communicated with the target company as a whole.
Based on the insights above, along with many other detection signals, Armorblox flagged the email as a credential phishing threat. The email was automatically deleted based on predetermined remediation actions for the credential phishing detection category.
If you found this attack overview interesting, you might also like to read our earlier Blox Tale focusing on a Netflix impersonation and credit card phishing attempt.