Lately, I have received more phishing emails in my burner (test) email that are related to Amazon than ever before. This probably due to the influx of online shopping driven by COVID-19. Attackers are smart, they know that people are shopping online for essentials rather than going to the store in person. During this post I will take you through one of the most recent emails I have received, explain some of the key markers that can be used to identify this as a phishing email, and demonstrate what would happen if someone clicked the phishing link.
Giveaways – what makes this a phish?
The following screenshot is the most recent Amazon email received:
Let’s take a look at some of the clear giveaways in this email:
1. Sender’s address
I don’t know about you but, to me, this doesn’t appear to be one of Amazon’s legitimate customer service email addresses….
2. Additional email recipient:
As shown in the image above, this link above does appear to be an amazon email. However, it’s included in the recipients list, not the sender. The attacker likely added a real Amazon email address into the recipients list to make the email appear more convincing. Everyone who received the email was “BCC” – blind carbon copied.
3. Embedded URL within “Update Your Payment” button
- https://fahmmipejuh [.] com/SfoTPB4
Right click the “Update Your Payment” button – Select “copy link address”. Paste this into a text editor to view the URL. This definitely doesn’t appear to be an Amazon address.
4. Email Subject / Content
- By labeling the email ‘Fraud Payment Detection,’ a victim might be scared into interacting with this email. No one wants to be accused of fraud.
- The email creates a sense of urgency in the recipient. The request indicates there is a problem with a form of payment and that account details must be updated. If the victim had recently made an important purchase, they may feel rushed into quickly updating the payment information without validating the email’s links thoroughly.
- Note – the email’s subject and contents do not appear to match. Why would the fraud department be involved in dealing with a user’s expired credit card? That isn’t fraud.
Let’s take a look at what would be presented to a victim who has clicked the phishing link. (DISCLAIMER – Do NOT click on links or respond to emails you are unfamiliar with.)
Step 1. Click the embedded link. It appears it has brought us out to a fake Amazon login portal (see screenshot below). Entering fake information for the email, I proceed to click the ‘Continue’ button and enter a fake password.
Step 2. As shown in the screenshot below, the website now wants billing address information – name, address, phone number, date of birth, and even your social security number! After providing the attacker with more fake information we proceed to click the “Update” button.
Step 3. The last information the website is requesting from the user is credit card information (see screenshot below). Entering fake information again and proceeding to click the “Update” button.
If you pay close attention, you will notice that none of the URLs in the screenshots above are for legitimate Amazon resources.
What to do if you have fallen for a similar scam?
- Contact the service being mimicked in the phishing email.
- Many companies can help implement additional alerting for the account.
- The company can help change the user account password.
- If available, the company can help you implement Multi-Factor Authentication for the account.
- Although it is never recommended to share passwords between your accounts, if your password was utilized on other sites (social network / bank / other login portals), rotate the credentials for all of those sites.
- Change the password at all login portals.
- Call your established credit card company.
- Implement account alerts.
- Possibly re-issue a new credit card.
- Stop any unknown payments / purchases.
- Look into spam mail filtering capabilities with email provider.
- Possibly block / flag any unwanted future emails.
- Consider utilizing an identity theft protection service.