How did Netflix phishing attacks use legitimate TLS certificates?

Johannes Ullrich of the SANS Technology Institute reported an increase in Netflix phishing attacks that use malicious sites with TLS certificates. How do these Netflix phishing attacks work, and can threat actors obtain TLS certificates for these spoofed domains?

Users of online services like banking, shopping, social networks, gaming and entertainment are constantly under the threat of hackers trying to obtain their credentials. A successful attack can enable an attacker to steal a victim's identity and money and launch further attacks against the people in his contacts list.

Tricking a Netflix subscriber into revealing their login details may not appear to give the hacker much more than free access to Netflix -- usernames and passwords for Netflix accounts only fetch around 20 to 50 cents on the dark web. However, there is a good chance that a subscriber's Netflix account password is the same as the one they use for their online bank account, PayPal account or Amazon account, making the hacker's efforts in a Netflix phishing attack far more rewarding.

These Netflix phishing attacks begin with phishing emails containing links to a hacker-owned site or to a site the hacker has compromised, often asking the user to validate their username and password due to an error with their account.

Hackers' favored sites to compromise are those that run popular content management system (CMS) software like WordPress or Drupal. Plenty of people who set up sites using a CMS platform have no experience in IT security and seldom install updates or patches for security flaws. This makes them attractive targets for hackers, as they can automate searches to exploit vulnerable sites and either install malware or post links to their own malicious server.

To increase the chances of tricking someone into following these links, hackers obtain TLS certificates for their servers, often using the free, automated certificate authority Let's Encrypt. Hackers use a variety of tricks to make the actual domain name of their site appear to be related to a genuine domain. By using a similar layout, images, and look and feel, they can make the site look almost identical to the real thing.

In addition, if they register domain names that appear similar to popular sites, they can make it difficult for users to tell which site they are visiting. For example, rnicrosoft.com uses r and n characters, not an m, while using characters from different alphabets, such as a Cyrillic а instead of the expected Latin a, can produce a domain name that looks the same as the domain being spoofed, as the two characters look identical to the human eye.

An attacker can also create a subdomain using the name of the site he is trying to impersonate. For example, netflix.greatfims123.com. These are all valid domain names, so after obtaining a TLS certificate for the domains they have registered, the attackers are ready to phish for unsuspecting users.

Users always need to check URLs carefully by hovering their mouse over them and immediately trashing any emails that are poorly worded or that contain spelling mistakes, as these are pretty good indicators that an email is a scam. Netflix, for its part, recommends users avoid clicking links sent via email, and that they report any suspicious messages via its official website.

One element that is often missing on spoofed sites is the option to log in using alternative login methods, like Facebook, as the attacker wouldn't be able to collect the usernames and passwords of anyone using this method.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)