Netflix-Themed Survey Scam/Phishing Campaign

    Monday, February 10, 2025 In: Threat Research Print

    Date: 02/10/2025

    Severity: Medium

    Summary

    The Netflix-themed survey scam/phishing campaign targets users by using fake survey sites hosted on api.trackszz[.]com and monthly-prizes[.]com. Victims are lured to complete surveys, after which they are redirected to a fake payment page asking for credit card details. Once entered, users are sent to a "winner" page. If users do not interact with the survey, the page redirects after two minutes to another scam site. The trackszz[.]com domain, re-registered in July 2024, showed a significant increase in activity in December 2024 and January 2025, likely related to these phishing efforts.

    Indicators of Compromise (IOC) List

    URL/Domain

    https://monthly-prizes.com/sweepflix/?ept2=029a7532-1ce2-4bb2-b1d8-2f9636478813

    https://api.trackszz.com/click/vP1lZtn4NE?c1=ES6579&

    https://bbtl.trkwebz03.com//t/clk?id=RlGXHgYLS0LXnUpZ8AHz&

    https://get.hundredpercentmargin.com/click?pid=1336&

    https://www.assuredpaymentportal.com/checkoutsecure1?first_name=&

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "https://monthly-prizes.com/sweepflix/?ept2=029a7532-1ce2-4bb2-b1d8-2f9636478813" or url like "https://monthly-prizes.com/sweepflix/?ept2=029a7532-1ce2-4bb2-b1d8-2f9636478813" or userdomainname like "https://www.assuredpaymentportal.com/checkoutsecure1?first_name=&" or url like "https://www.assuredpaymentportal.com/checkoutsecure1?first_name=&" or userdomainname like "https://api.trackszz.com/click/vP1lZtn4NE?c1=ES6579&" or url like "https://api.trackszz.com/click/vP1lZtn4NE?c1=ES6579&" or userdomainname like "https://bbtl.trkwebz03.com//t/clk?id=RlGXHgYLS0LXnUpZ8AHz&" or url like "https://bbtl.trkwebz03.com//t/clk?id=RlGXHgYLS0LXnUpZ8AHz&" or userdomainname like "https://get.hundredpercentmargin.com/click?pid=1336&" or url like "https://get.hundredpercentmargin.com/click?pid=1336&"

    Reference: 

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-02-03-IOCs-for-Netflix-themed-survey-phishing-campaign.txt                   


    Tags

    MalwarePhishingFinancial ServicesNetflix

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.