Amazon Phishing Adventures: The Recent Rise in Amazon Phishing Scams

If you dive into the deep web, you will find why hackers want your credit card information so much. The answer is Amazon. As soon as criminals buy a fresh batch of credit card data, they go to Amazon to buy smartphones, playstations, and anything else that they can quickly convert into cash. There are even deep web stores that specialize in particular brands. Deep web ‘Apple Stores’ will give customers amazing prices on real Apple products, still in the box. Here is one ad for a $400, unlocked Apple iPhone 6s, which generally sells from between $650 to $900.

iphone 6s

Prices are often 50% less than those found on normal retail outlets. It doesn’t matter what the criminals sell the phones for because it’s all pure profit, as their only investment was in the card data, and that can be for around $10-20 for a batch of 10 or more cards, depending on how recent the cards have been hacked. Of course, if you want to buy their products, you have to pay in Bitcoins and hope the delivery works out. But again, the key middleman in the transaction is Amazon. Occasionally, the sellers will try to ditch the product on eBay, but that’s a little more risky than selling through a deep web site.

In other cases, scammers will try to use Amazon itself to get your personal information. They realize that most people have Amazon accounts and may receive various messages from Amazon. Scammers can use fake messages to get the victim to give up personal information. The scammers may purchase products or gift cards with this information, but they will change the account details to get the product delivered directly to them. In effect, they take over the victim’s account. These phishing scams have been around for a long time and most people are aware of them. However, they have been getting more and more sophisticated and continue to be effective.

Here are a few variations on Amazon phishing scams which have recently been making the rounds, and probably making money for the hackers.

The Amazon Survey Scam

Basically, the victim receives an email saying that Amazon will pay them for taking a survey. It looks something like this.

amazon survey

Often, you can tell a phishing email by its unusual use of English, not by its design. This email gives the victim a chance to “make a quick buck” and to “press the link” – both kind of miss the mark from a sociolinguistic/linguistic viewpoint.

If you fall for the scam and “press the link”, you will be redirected to a cloned Amazon account login page that asks you to login. If you do, you will be then be redirected to an account detail page where you will be asked to put in your credit card details.

As is true in most phishing scams, the email must first make it past the spam filter and into the victim’s inbox. The latest variant of this scam does this by using a legitimate website to host the fake Amazon login page. The spam filter, seeing the site is legitimate, may not block it. If the user doesn’t check the URL before clicking, they may believe the site they go to is real because the login page is identical to the real one. The URL on the page may even be called something line “amazon-update” but without the green https padlock. Most browsers will give you a warning before you go onto the page that asks for credit card details, but the newer variants of this scam will recognize what browser you are using and block any attempts to give you this warning. According to FireEye, it will also block search engines, such as Google and anti-phishing tools.

After entering all of the personal information, the victim will receive a personalized email that directs the user to their real account page, fooling the victim into thinking that all is well.

The Prime Now Delivery Scam

This scam seems to be focused on the U.K. for the moment, but there is no reason it can’t spread to any area that offers Prime Now delivery.

Once the criminals get the victim’s Amazon login information, they will sign them up for Amazon Prime and Prime Now (assuming they are not already signed up for the service). They will then order something to be delivered through Prime Now’s ultra fast delivery system, which is less than two hours. They then wait outside the person’s delivery location, as found in the account details, and pick up the delivered merchandise when it arrives and, more often than not, before the victim even knows their account has been used to order something.

Why don’t the criminals just change the delivery address? Because doing so would require re-entering credit card information, which the criminal may not know. For this scam, they don’t need to make the person enter any credit card information. Thus, they only need to login, order, and go to the delivery destination within two hours. This means that the criminals must live within a 2 hour traveling radius of the victim (unless they have a network of other criminals they can contact). They must also be able to get email addresses for people in their area to which they can send their phishing emails. It’s not clear how they could do this, however, there are firms who sell email addresses for marketing purposes.

The “I’m not sure it’s a scam or not” Amazon Security Scam

This is a tough one because opinion seems divided as to whether this is a scam or not. However, it’s something you should be aware of. Apparently, the recipient gets an email from Amazon stating that the company has done a search online, as part of their routine security surveillance, and found that one of the recipient’s online accounts has been compromised. They state that since people often use the same password for numerous accounts, it is possible that the recipient is using the same password for their Amazon account. This being the case, they ask the person to change their Amazon password. Apparently, there are links in the body of the letter that will take the person to the Amazon sign-in page to change their password. The actual email looks like this.

amazon security

First of all, Amazon apparently does send these kind of notices from time to time. It could be legitimate. However, since scammers often copy known correspondences, this one could also be copied as part of a phishing campaign. The point is that this is confusing both security experts and regular users alike.

If the email contains no links (even if the links say “Amazon” on the surface) then it is probably a legitimate message. If the message says that Amazon has changed your account password, delete all of your cookies and try to sign in with your old password. If you can, then this was a scam. If you get this email in an account that is not associated with your Amazon account, then it is probably a scam. I say, “probably”, because accounts are sometimes interrelated so Amazon may have run across another of your email addresses in this manner.

The point is that if this isn’t an email scam, it soon could be. In other words, as soon as you get such a message, change your password on the legitimate Amazon page and don’t take any chances.

In short, phishing messages that look to be from Amazon offering everything from gift certificates to security help are sure to continue arriving in your email. It is much better to be safe than sorry. A healthy skepticism is important in dealing with any email from any business or institution. Never give out personal information no matter how legitimate the email appears. It doesn’t take much time to call or email the support staff at the company the email purports to be from. But these scams will keep getting better and better and everyone can be fooled sometimes. New lists of compromised credit card information are released on the deep web every day and Amazon will continue to be the focus of criminal attention.

About Steve Mierzejewski

Marketing consultant for InZero Systems, developer of the next generation in hardware-separated security, WorkPlay Technology. I've worked in Poland, Japan, Korea, China, and Afghanistan. I'm a writer, technical editor, and an educator. I also do some work as a test developer for Michigan State University.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s