Three quick steps to identify a Netflix phishing attack

A quick breakdown of how to identify it and how to respond.

An example of a Netflix phishing/smishing attack provided by Miguel A. Calles

Would you click on this link assuming you had an active Netflix account?

The most cleverly crafted part of this phishing text message (or smishing) attempt is the web address.

Notice that “www.netflix.com" is at the start of the domain. So it must be valid at first glance, right?

Did you notice the address starts with “http://” instead of the “https://” that Netflix and other major companies enforce?

Furthermore, there is a “911” in the URL. Many associate the number 911 with an emergency. Having this number in the address plays with our subconscious that we must react right away.

Lastly, there is a 48-hour time window before the account gets suspended. That time window also plays with our subconscious and conscious mind, telling us that we need to react right away. (We might think we should respond immediately before we forget and lose our precious Netflix account.)

How should we respond regardless of whether this is a valid message?

  1. Don’t click the link. Instead, go to the Netflix website or app. You should see a message in your account.
  2. Verify the URL and inspect the entire URL. Go to a service like VirusTotal and submit the entire URL for analysis. You will get information to help you decide how to proceed. If you read the entire web address, you will find the actual domain name ends at the first “/” character. The address has “onlinehome.us/” where the first forward slash appears. That means “onlinehome.us” is the domain. A valid Netflix address will have the “netflix.com/” text in the address.
  3. Look at the sender’s information. When you look at the sender, the address is long and confusing. Typically, large companies send a text message using a short number (such as 55445). It is a good idea to save that valid short number in your contacts so it shows up as “Netflix Notifications” (or however you save it in your contacts).

An example of verifying the URL

VirusTotal stated that one site reported it as malicious for this specific address.

Screen capture from VirusTotal

When you look at the submission details, you will see a blog post about a Netflix scam.

Keep in mind that malicious actors tend to be ahead of the curve, and sites like VirusTotal may not have data on them. Regardless, taking the time to research and not reacting immediately will help us avoid being victims.

Before you go

Here are other posts you might enjoy.

--

--

Miguel A. Calles · Serverless CISO

Author of "Serverless Security" · Specializing in CMMC, SOC 2, serverless & engineering.