Amazon and Walmart Targeted for Holiday Phishing Scams

The holiday season has officially begun. I know this because I’ve just received my first Amazon gift card scam. This one got into my inbox with the subject line, “Thank you. FW: Congratulations, Get Your $50 AMAZON Gift Card. Details Apply.” It disturbingly followed a recent purchase I made on Amazon, so they must have got this information from somewhere; probably from some online marketing firm. Anyway, for instruction purposes, here is what this rather badly designed scam looks like.

amazon-costume

Well, I prefer ordering my costumes in person. But, if pressed, I suppose getting my gorilla costume online would be preferable to having someone describe it over the phone. Now, where’s my $50 certificate?

I doubt if this particular scam will fool many people. First of all, the sender address was something unrecognizable and had nothing to do with Amazon. Secondly, besides the obvious misspelling of ‘customer’, there is also the hyphenation of ‘gift card’. Actually, you are not really given a choice of ‘online’ or ‘phone call’ as clicking anywhere on the image will take you to the same, non-Amazon place

However, there is one interesting aspect of this phishing email. The addresses used in it are the product of a fake email generator.  These generators can be found on the internet and they generate fake email addresses that can be used to sign into any site, like a forum, that requires an email address. Some of these generators offer only temporary addresses but other fake email generators let you edit the addresses and allow you to send attachments and links. This is what probably happened here. The sender cannot be traced but the link can do its dirty work.

Gift card scams always make the rounds this time of year. They look, at least on the surface, like real gift cards, but you will pay a price if you fall for the scam. Here’s what these cards from major retailers look like, but there are numerous variations, many of which have holiday themes this time of year.

gift-card-examples

In any event, there are many other scams to be aware of and here are a few of them you’re likely to encounter during the upcoming holiday season.

The Looming Walmart Attack

In August, people who had Walmart accounts suddenly received password reset emails from the company. The emails came from a legitimate Walmart address and led to what appeared to be a legitimate password reset page. To date, no one has figured out why this happened. Of course, such emails could be triggered by anyone trying to sign into someone else’s account, but since the message was even sent to people who had no Walmart account, it looks like those responsible were trying to validate an email list or at least find out which people really had Walmart accounts.

walmart-reset

I typed in a number of possible account names that I made up, including anyone@gmail.com. I got a confirmation that a verification code was sent to that account. Sorry, anyone. But when I typed in my own email address, I got a message that the address was not associated with a Walmart account, which is true. In other words, typing in an email address on the reset password page would enable a hacker to identify people with valid Walmart accounts. This would initially mean nothing, but it could give future spear phishing attacks a much higher success rate. So if you’ve received one of these messages, be especially cautious when dealing with any Walmart offers during the holiday season.

These attacks could be in the form of fake gift cards, as seen above, or something more complex like order confirmation scams, in which clicking the link in the email or opening any associated attachments will install password-stealing malware. Here’s what they look like.

walmart-deliver

This attack can be more persuasive if the attackers know the victim has recently ordered something from Walmart. If scammers already know the person has an account, the chances are that the victim will use it during the holiday season.

Among other scams to look out for is fake failed delivery scam, shown in the image below.

walmart-failed-delivery

Right. Just give us a lot of personal information and we’ll be happy to help you  out. Again, the grammar gives this one away, but if you’ve just ordered something, you may overlook that.

The Black Friday Scam

Although this scam targets Walmart shoppers, there is no reason that it could not target other retailers.

It begins with receiving the following notice in an email or on a social media site, most often, Facebook.

walmart-black-friday

Don’t think you are anything special. The goal of the scam is to get your personal information and sell it to those who could target you for spam or more serious scams. The two steps referred to in the scam requires you first to share the scam with your Facebook friends and, second, to fill out a form with your personal information.

How to avoid being scammed 

There are many other variations on all of these scams. The first rule of thumb is to be suspicious of any message claiming that some retailer is giving you something for free. Check the senders and links by hovering over them with your cursor and looking at the address that appears in the lower left corner of your screen. If it has nothing to do with the retailer, it is spam. However, if it does contain the retailer’s name, it does not necessarily mean it is legitimate. Amazon gives a few examples of fake or spoofed addresses

seller-performance@payments-amazon.com

amazon-security@hotmail.com

amazon-payments@msn.com.

Amazon further points out that they never use hyphenated addresses.

Something Uncomfortable to Note

 The hovering technique can be hijacked. I used some code to make an apparent link to Amazon.  When hovered over, the link below appears to be associated with Amazon, but it’s not. Actually, clicking on it will do nothing in this case but the technique could be used by attackers to take you to a completely different page, even a spoofed Amazon page, that they control.

For a special offer from Amazon,

click-here

For security reasons, I cannot put the code for this exploit on this site. I, therefore, did an image capture to show what happens if you hover over the ‘click here’ link with your cursor. You will see the Amazon address in the lower left hand corner of your screen. It appears to be a legitimate link to Amazon, but it is not. In fact, the link is to Bing. You can find the real link by holding down the left mouse button, as I did in the next image capture.

click-here2

Every year, phishing scams cost consumers half a billion dollars, much of that during the holiday season. In fact, because of ploys like the one above, the seasonal waters seem to be getting more and more difficult to navigate. Many will continue to be fooled often because greed will often outpace fear. Just remember that t’is the season to be wary.

 

 

 

About Steve Mierzejewski

Marketing consultant for InZero Systems, developer of the next generation in hardware-separated security, WorkPlay Technology. I've worked in Poland, Japan, Korea, China, and Afghanistan. I'm a writer, technical editor, and an educator. I also do some work as a test developer for Michigan State University.
This entry was posted in Uncategorized and tagged , , . Bookmark the permalink.

4 Responses to Amazon and Walmart Targeted for Holiday Phishing Scams

  1. Steve, great article about keeping an eye out for scams during the holiday season. I have noticed an increase in the junk emails I get around this time of year as well. Hopefully everyone realized that a retailer offering you something for free, like you mentioned in our article, should raise some red flags. Thank you for the post

    Like

  2. I will be sure to keep an eye out. Thanks

    Like

  3. Pingback: ‘Tis the season…for phishing scams! | TDS Home

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s