Skip to main content
banner image
venafi logo

Phishing Campaign Uses TLS Certificates to Impersonate Netflix and Steal Users’ Account Credentials

Phishing Campaign Uses TLS Certificates to Impersonate Netflix and Steal Users’ Account Credentials

phishing attack on netflix users
July 2, 2018 | David Bisson

Fraudsters launched a new phishing campaign in which they are using TLS certificates in an attempt to steal Netflix users’ account credentials.

Dr. Johannes B. Ullrich, Dean of Research at SANS Technology Institute, received a sample of the campaign on 19 June. The email was in his words the “weak part of this exploit.” He based his conclusion on the fact that the email was labeled as spam and that its body content was full of grammatical mistakes.

Image removed.netflix1.png

We recently failed to validate your information,we hold on record for your account we need to ask you to complete a brief validation process in order to verify details. Once that information has been updated, you can continue enjoying Netflix. Please click the button below to get started.

Though error-ridden, the attack email provided crucial insight into the rest of the phishing campaign. Dr. Ulrich used the message to trace the attack’s beginning to a compromised site running CMS software like WordPress or Drupal and likely suffering from an unpatched plugin or a weak admin password. He also determined that those responsible for the campaign purchased a TLS certificate for a Netflix-related hostname like “” or a similar domain used in the phish. All of this in an attempt to trick users into visiting a malicious website designed to look similar to the real Netflix login page. So similar, in fact, that the only apparent differentiating factor was the option for users to authenticate themselves via Facebook on the legitimate sign-in site.


It’s not particularly surprising that those behind the campaign chose to use TLS. The use of encryption among attackers is on the rise. In 2017, Zscaler blocked an average of 12,000 phishing attempts using SSL/TLS per day. This figure marked an increase of 400 percent over the traffic it blocked 2016.

Even so, Dr. Ulrich thought that the phisher made a mistake by using TLS in an attempt to piggyback off legitimate Netflix members’ accounts. As he explained in a blog post:

"I found the sites pretty easily via certificate transparency logs, and I think Netflix, or someone else, is doing the same thing as I saw these sites often labeled as "deceptive" by Google's safe browsing feature, before the phishing part of the site was life. I doubt many users would notice if the site didn't use TLS."

Certificate transparency logs are useful in that they help keep track of digital certificates. It’s therefore no wonder Google issued a mandate for its Chrome browser requiring that all newly issued TLS certificate authorities comply with the Chromium Certificate Transparency (CT) Policy, as researchers like Dr. Ulrich can use CT logs to investigate instances where someone might be misusing a certificate.

Organizations need to make sure they monitor their digital certificates for signs of misuse. To do that, they need to obtain complete visibility over their certificates. Learn how Venafi can help.

Related posts

Like this blog? We think you will love this.
Featured Blog

How DoS/DDoS Attacks Impact Machine Identity, Digital Certificates

For safe and secure utilization of machine identities such as SSL/TLS cer

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more