Criminals Upgrade Amazon Email Scams

Yes, I know. Amazon phishing emails have been around since Amazon first started selling merchandise online. But when I see emails making it into my inbox, I realize that there’s been another upgrade in the scammers’ phishing arsenal.

There are several versions of this new campaign and I was lucky enough to see all of them, though not all of them made it into my inbox. Generally, these emails come with a warning that action must be taken within 24 hours or something terrible will happen to your account. “Your Amazon Prime Membership is set to renew on Monday, January 17, 2022. We are having trouble authorizing your payment.” “The billing information you provided did not match the information in the card issuer file.” In the latter case, they claimed to have already locked my account and I needed to perform some action to unlock it. But the action is always the same and involves the attached PDF document.

If you preview or open the attached file, it will look fairly legitimate. It has the correct logo. The wording is apparently copied from actual Amazon emails, and it is signed by the Amazon Help Center. The first sentence, however, should make you suspicious. “We lock your Amazon account and hold all your last orders.” A native English speaker would have used the present perfect, ‘have locked’, or possibly the future, ‘will lock’.  Nonnative English speakers receiving this message may overlook this grammatical clumsiness and will be more likely to be victimized. Others may simply overlook this in the anxiety caused by the possibility of losing their Amazon account.

The timing of these emails is also important. Many people flocked to Amazon to buy merchandise over the holidays. Thus, emails from Amazon would not initially be seen as something unusual. The phishing emails will have a certain face validity and may not be summarily deleted. That’s what the scammers hope for. Step one is to get into a potential victim’s inbox. Step two is to get these emails opened. This is because opening the email will bring the victim a step closer to opening the attached PDF document. Many spam filters don’t allow certain links in the body of an email. If a bad link is detected in the body of an email, the spam filter will designate the email as spam and it will never make it into your inbox. That’s why the link is put into the attachment.

Whether it’s in the main body of the email or the attachment, all of these links look more or less the same.

If you copy the link and go to a link checker site you will find that the link checks out as safe. Yes, the now inactive link (https://adm-screapsunwuqoasd.cloudns.ph/?mmkcair) may look strange but it is, in fact, connected to a cloud service called ClouDNS which provides free web hosting. The Edge Browser, however, will give you the ‘red warning’ if you try to navigate there.

Most of these links will lead you through a series of redirects which could lead to a phishing page that looks like the following. This page could be hosted on the ClouDNS server.

If you copy this link and paste it into a word processing program like Word, you will see this: Amazon Sign In (cloudns.ph) which seems to give the true intention behind the link. (These links frequently change and this one no longer exists.) However, if you use Tor, the server will refuse to honor your request and you will get a Forbidden 403 error. The scammer’s server has been programmed to only accept requests through certain channels that it thinks it can exploit. Other phishing links that I received in these Amazon phishing emails sent me to Linkedin. This was done to make them look legitimate to the spam filter.  If you want to see what redirects are behind a link, there are a number of useful sites that can help you with this. A site such as WhereGoes shows how one of the links I got leads to Linkedin.

Opening the attachment will give you a PDF file called, “Report-Letter” plus some random numbers. You can put anything in the fake login page, as long as it looks like an email address, and use any password. You will eventually get to a page that gathers your personal information. It will automatically detect your location and put it on the top of the form to give it an air of legitimacy. (The one shown is not my real location,) Then, you will be asked for your credit card details.

I used a fake credit card number generator and used a fake name to fill out the information. Interestingly, when I was finished, I was given a message that my login was successful, and I was sent to my real Amazon login page. Since the attackers knew my email address, that address was already known by Amazon and so they presented me with my account name and email address. To the unsuspecting, this may just seem like a legitimate step. Of course, the attackers have all of the information you have just entered. They don’t need to wait for you to sign into your account.

Much of the success of these attacks is based on hiding the address of the sender. Upon opening the email, you will see something like this.

Having the name, ‘amazon’ appear as often as possible may make a person overlook some of the details like the numbers following the “update-account”. If you click on “show details” you will find something like this.

Notice the clever use of hyphens. They are used to spoof an address like amazon.com.

In any event, once the hackers get all of your personal information, they can do what they want with it. They can, of course, sell your credit card information or use it to purchase something. They would do this by taking over your Amazon account as you gave them all the information they needed to do so. Then again, they may simply sell your personal information so as to avoid the risk of getting caught.

Those who fall for the scam will also find themselves on a ‘suckers list’ of people who were scammed in the past and are likely to be scammed in the future. If a person was scammed with a fake Amazon email, couldn’t they be more likely scammed with a well-designed, targeted ransomware email? In other words, this attack could easily migrate from the individual victim to the corporate victim. This is how bad behavior from one of your employees can compromise the company network. Be sure to use endpoint protection that factors in irresponsible employee behavior or suffer the consequences. And be wary of any Amazon messages that make it into your inbox.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s