Threat Intelligence Report — THREAT-2026-SMISH-001

Active Smishing Campaign

neflixpagocuenta.net

Active Urgente TLP:AMBER 2026-03-09 Passive OSINT

01 Resumen Ejecutivo

Campaña de smishing activa — sitio operativo

Kit de fraude financiero en tiempo real desplegado en neflixpagocuenta.net suplantando a Netflix. Captura credenciales, PII completa, datos de tarjeta + PIN, y engaña a víctimas para aprobar transacciones reales via 3D Secure. Operación multi-país, multi-marca con infraestructura dedicada (ASN propio, 1.024 IPs). Mismo kit confirmado activo hoy en dominio de sanidad francesa.

02 Key Metrics

237+

Historical Domains

Active Kits Today

15+

Brands Impersonated

13+

Countries Targeted

1,024

IPs in ASN

Data Types Captured

Attack Stages

~1,760

Domains in ASN

03 Attack Flow — 7 Stages

SMS

SMS Delivery (Smishing)

Probable SMS gateway: scampigate.com

Víctima recibe SMS con enlace a neflixpagocuenta.net. Redirige automáticamente: HTTP → HTTPS → /login → gate.php?page=verif

Verificación Anti-Bot

gate.php?page=verif

Cloudflare Turnstile CAPTCHA. Bloquea scrapers, sandboxes y bots de seguridad.

Sitekey: 0X4AAAAAACTqp1CezracoxEG

gate.php?page=login

Réplica exacta de login de Netflix. Captura credenciales de acceso.

Email / Teléfono Contraseña

Billing — PII Harvesting

gate.php?page=billing

Captura datos personales completos. "Actualizar información de facturación."

Nombre completo Dirección Ciudad + CP Teléfono Fecha nacimiento

Credit Card — Financial Data

gate.php?page=cc

"Actualizar información de pago." Captura datos completos de tarjeta.

Número tarjeta Titular Expiración CVV/CVC

PIN Bancario

gate.php?page=pin

Inusual en phishing kits estándar. Indica exfiltración para compras POS / retiros ATM.

PIN 4 dígitos

VBV / 3D Secure — Fraude en Tiempo Real

gate.php?page=vbv

Ingeniería social crítica

Texto de engaño: "Los montos mostrados en la aplicación son totalmente aleatorios y NO se realizará ningún cargo."
Realidad: El TA inicia un cargo REAL. La víctima lo autoriza en su app bancaria creyendo que es una verificación. El cargo SE EJECUTA.

Aprobación 3DS real-time

OTP / SMS — 2FA Bypass

gate.php?page=otp

Fallback para bancos sin app. Intercepta código de verificación bancaria.

Código OTP 6 dígitos

✓

Success — Falsa confirmación

"Su cuenta ha sido verificada con éxito." Redirige a netflix.com real para dar apariencia de legitimidad.

04 Infrastructure

Primary Server

IP45.74.47.181

Domains237+

Active Kits2

OrgSecure Internet LLC

LocationHouston, TX

Reverse DNSnone

Route created2026-01-13

AS213441 — SLAYER GROUP LIMITED

CountryGB (RIPE NCC)

Registered2025-02-10

UpstreamAS30823 aurologic

Total IPs1,024

Total domains~1,760

TypeBulletproof

Server Stack

Web servernginx

LanguagePHP 8.3.30

PanelPlesk (PleskLin)

OSLinux

Anti-botCloudflare Turnstile

SSLLet's Encrypt R12

IPv4 Prefixes (4× /24)

Primary45.74.47.0/24

Secondary45.74.10.0/24

Africa block102.135.91.0/24

Asia block180.178.160.0/24

Adjacent IP45.74.47.68

Secondary IP45.74.10.195

05 Domain Clusters by Brand

Active/Kit Blocked Dead/Burned

Netflix 11 domains

neflixpagocuenta.net
verificaflix.com
ntfx-shippai-jp.com
netflx-forfait.com
kundesupportnetflix.com
giahannetflix.com
netflix-accounts-update.com
netflixpagamento.com
+3 more (burned)

Carte Vitale / Sanidad FR 15+ domains

espace-sante-dossier.com
carte-vital-support.com
assurance-maladie-public.com
amelivitale-infoassurance.com
renouvellement-carte-vitale.com
info-suivis-sante.com
espace-vitale-infos.com
+8 more

Logística / Paquetería 20+ domains

mondial-relay-douanes.com
bpost-be.com
bpost-colis-323240963.com
ups-bezorging.com
dhl-diensten.com
depot-paquet.com
canadapost-suivi.ca
+13 more

Banca / Finanzas 6 domains

pay-pal-fr.com
oppositions-banques-de-france.com
services-banque-de-france.com
ccss-services-lu.com
raiffeisen-ba.com
kundemypaylife.com

Doctolib 4 domains

mon-compte-doctolib.com
mon-espace-client-doctolib.com
doctolib-consultation.help
doctolib-consultation.info

Others 8+ domains

via-verde-app.com PT Tolls
viaverde-site.com PT Tolls
actualisation-icloud.com Apple
noones-partnership.com Crypto
mvm-szolgaltatasok.com Hungary
regularisation-free-facture.com ISP FR
scampigate.com SMS Gateway

06 Threat Actor Profile

Identifiers

Email 1karript6@gmx.com

Email 2romaintrdbl@gmail.com

Handlekarript6

Probable nameRomain

Public footprintZERO

Active sinceApril 2020

Geo Attribution

WHOISDresden, DE

EXIF TimezoneUTC+3

Email providerGMX (German)

Kit default langFrench

Primary targetsFrance

Hypothesis: Francophone in UTC+3 zone. Possibly North Africa (Maghreb) or Eastern Europe (Romania, Bulgaria). Dresden WHOIS likely false. Using German VPN/identity for domain registration.

TTPs

Initial accessSmishing (SMS)

Kit typePHP gate.php

Anti-botCloudflare Turnstile

Domain cycle2-4 weeks

SophisticationMOD-HIGH

OPSECMODERATE

Financial fraudReal-time 3DS

RegistrarsPDR, Openprovider, Metaregistrar

EXIF Forensics — Logo Asset

SoftwarePhotoshop CC 2017

OSWindows

Created2020-04-03

TimezoneUTC+3

Resolution3840×2160

XMP Instance ID xmp.iid:7cfe7f16-5916-d74a-9071-a65caafb2b96

XMP Document ID adobe:docid:photoshop:57500b65-753c-11ea-b41b-aeb013380cea

07 Activity Timeline

2020-04-03

Netflix logo asset created — Photoshop CC 2017, UTC+3. Earliest known artifact.

2021-09-17

First known certificate — netflx-forfait.com. Infrastructure active 4+ years.

2025-02-10

AS213441 SLAYER-AS registered — RIPE NCC, dedicated ASN for phishing ops.

2025-11-28

verificaflix.com — First recent Netflix domain in new infrastructure.

2026-01 (peak)

15+ domains registered — Netflix, PayPal, Carte Vitale, Doctolib, Mondial Relay, bpost, Via Verde.

2026-01-13

BGP route 45.74.47.0/24 announced — Infrastructure goes live.

2026-02-17

neflixpagocuenta.net registered — PDR Ltd., Dresden registrant.

2026-03-08

SSL certificate issued — Let's Encrypt R12 for neflixpagocuenta.net.

2026-03-09 — HOY

Smishing campaign detected. Kit active. espace-sante-dossier.com cert issued today (cross-brand kit confirmed).

08 IOC Table — Primary Indicators

Type	Value	Status	Confidence
Domain	`neflixpagocuenta.net`	Active Kit	CONFIRMED
Domain	`espace-sante-dossier.com`	Active Kit	CONFIRMED
IP	`45.74.47.181`	Active	CONFIRMED
IP	`45.74.47.68`	Adjacent	CONFIRMED
IP	`45.74.10.195`	Secondary	CONFIRMED
ASN	`AS213441 — SLAYER-AS`	Active	CONFIRMED
Email	`karript6@gmx.com`	SOA record	CONFIRMED
Email	`romaintrdbl@gmail.com`	SOA record	CONFIRMED
Sitekey	`0X4AAAAAACTqp1CezracoxEG`Cloudflare Turnstile — not publicly reported	Active	CONFIRMED
API	`gate.php?action=get_translations&lang={lang}`Kit fingerprint — unique to this family	Active	CONFIRMED
XMP ID	`xmp.iid:7cfe7f16-5916-d74a-9071-a65caafb2b96`Logo asset instance ID	Forensic	CONFIRMED
XMP Doc	`adobe:docid:photoshop:57500b65-753c-11ea-b41b-aeb013380cea`Logo asset document ID	Forensic	CONFIRMED
localStorage	`netflix_verif_translations_{lang}`Browser fingerprint — check victim browsers	Detection	CONFIRMED
Prefix	`45.74.47.0/24`	Block	CONFIRMED
Prefix	`45.74.10.0/24`	Block	CONFIRMED
Prefix	`102.135.91.0/24`	Block	CONFIRMED
Prefix	`180.178.160.0/24`	Block	CONFIRMED

Anti-Analysis Headers (kit fingerprint)

X-Robots-Tag: noindex, nofollow, noarchive, nosnippet, noimageindex
X-Frame-Options: DENY
Referrer-Policy: no-referrer
Cache-Control: no-store, no-cache, must-revalidate
Permissions-Policy: geolocation=(), microphone=(), camera=()

09 Cross-Brand Kit Reuse — Evidence

Proof: Same kit on healthcare domain

The domain espace-sante-dossier.com (impersonating French health records) returns identical gate.php translation API JSON. Certificate issued TODAY (2026-03-09). The TA forgot to sanitize Netflix-specific strings:

// espace-sante-dossier.com — should be healthcare, but contains:

"new_to_netflix": "Vous etes nouveau sur Netflix ?"
"subscription_renewed": "Votre abonnement a ete renouvele"
"success_message": "...profiter de tout le contenu Netflix sans restrictions"

Same backend Un-sanitized strings Modular multi-brand kit

Implication

The kit uses a modular translation system (gate.php?action=get_translations&lang={lang}) designed for rapid multi-brand deployment. The TA cloned the Netflix configuration for the healthcare variant but failed to customize the Netflix-specific translation keys. This proves:

Same phishing kit deployed across brand impersonations
Kit is designed for multi-brand operation from inception
Operational tempo prioritizes speed over stealth
Translation API is a reliable detection fingerprint

10 Defense Actions

P1 — Critical / Immediate

Block ASN at perimeter

Block entire AS213441 — all 4× /24 prefixes. ASN is ~13 months old, hosts 1,760 domains, clear abuse pattern. IPs: 45.74.47.0/24, 45.74.10.0/24, 102.135.91.0/24, 180.178.160.0/24

P1 — Critical / Immediate

Report to aurologic GmbH (upstream)

AS30823 is the sole upstream provider. If they null-route AS213441, ALL TA infrastructure goes offline simultaneously. Most effective single action.

P1 — Critical / Immediate

Revoke Cloudflare Turnstile sitekey

Report sitekey 0X4AAAAAACTqp1CezracoxEG to Cloudflare abuse. Revocation disables captcha on ALL kit instances simultaneously. Not yet reported publicly.

P2 — High / 24h

Report to CERTs

INCIBE: incidencias@incibe-cert.es
CCN-CERT: incidentes@ccn-cert.cni.es
CERT-FR: cert-fr.cossi@ssi.gouv.fr
Netflix: phishing@netflix.com

P2 — High / 24h

Submit to blocklists

Google Safe Browsing, PhishTank, APWG. Submit all active domains and URLs. Registrar abuse: abuse-contact@publicdomainregistry.com

P3 — Medium / Ongoing

Monitor & Hunt

Monitor crt.sh for new certs on 45.74.47.0/24. Create YARA rules for gate.php?action=get_translations pattern. Monitor @ecarlesi on urlscan.io. VirusTotal retrohunt with XMP IDs.

Disclaimer

This report is published for defensive cybersecurity purposes under the principles of responsible threat intelligence sharing. The analysis is based exclusively on open-source intelligence (OSINT) derived from unsolicited malicious communications received by the author and subsequent passive investigation of publicly available data.

Attribution assessments represent the analyst’s professional judgment based on available evidence and are provided with an explicit confidence level. They do not constitute accusations of criminal conduct, which is a determination reserved for competent judicial authorities.

If you believe any information in this report is inaccurate, please open an issue for prompt review and correction.

Published under the legitimate interest basis of Article 6(1)(f) GDPR, supported by Recital 49 (network and information security) and the right to freedom of expression and information (Article 11 EU Charter of Fundamental Rights).

THREAT-2026-SMISH-001 · Unified Report v1.0 · 2026-03-09
100% Passive OSINT — No active scanning or form submissions
Classification: URGENTE · TLP:AMBER