The most recent Amazon phishing scam was so well-conducted that it tricked email providers into believing it was legitimate.
In the wake of business closures and fear of being part of the COVID-19 spread, Amazon has played a monumental role in allowing many of us to avoid a trip to the store. Phishing attempts targeting Amazon users are nothing new, but due to its increased popularity, Amazon continues to be a top hotspot for cybercriminals to conduct their schemes.
If you’ve ever taken a gander at your email account’s spam folder, you’ll likely find a bunch of scammy emails that your email provider took the liberty of filtering for you. Email programs typically come with basic filtering that catches the most obvious of scam attempts. This handy feature has likely saved most of us from a few phishing attempts and, of course, the Nigerian Prince who desperately wants to pass on our inheritance from a long lost relative.
With this most recent Amazon Phishing Attempt, cybercriminals were so sly that they tricked email providers into believing their scam email was legitimate.
The Newest Amazon Phishing Scam
When it comes to phishing scams, cybercriminals aim to collect as much personal and financial information from victims as possible. They use this information either for their own gain or to sell on the deep web so other criminals can use the stolen information--often, they do both! If you’re looking to learn more about phishing, make sure to check out our prior post: Phishing Explained: Everything You Need to Know About Phishing Scams
Here’s how this particular scam went down.
Cybercriminals sent an email alerting targets of an Amazon delivery order failure.
It’s unknown how the cybercriminals decided who to target in this attack. Email addresses that leaked in the past are often sold in lists on the deep web. A list containing only Amazon users obtained from a prior phishing scam may have been used, or the email may have been sent to a larger group of people, some of whom may not have had an association with Amazon.
This email appeared to come from a legitimate 3rd party vendor account, Blomma Flicka Flowers, a floral design company based out of Vermont. This indicates that it’s possible that hackers obtained an employee’s credentials, but this has not yet been confirmed. Nonetheless, because this email appeared to come from a legitimate source, email spam blockers believed the email to be legitimate and did not flag it as suspicious.
Victims were instructed to update their payment details within 3 days, otherwise, their order would be canceled.
One of many ways scammers collect so many victims is by creating a sense of urgency. If you’ve ever felt pressed for time or did something in a hurry, you may have noticed that you weren’t quite as careful. Creating a sense of urgency by giving the 3-day time limit causes most people to act hastily, ignoring red flags that they likely would have noticed if they weren’t in a rush. Cybercriminals capitalize on this carelessness and know that if they’re going to be successful, they need to do whatever they can to avoid setting off the “scam alert” in potential victims’ heads.
Cybercriminals harvested victim’s Amazon login information and card details.
When clicking on the link to update their billing information, victims were led to a website that looked identical to the Amazon login page and were asked to sign in. Victims blindly entered their Amazon login credentials as they normally would do when reaching the Amazon website. This provided the hackers with their email address and password to do with as they please.
On the next page, victims were asked to update their billing address. Still, the website continued to match the overall look and feel of the real Amazon website, so victims proceeded to enter their full name, address, phone number, and birth date. This was followed by a page requesting their billing information, including the name shown on the card, the full card number, expiration date, and security code. This information was also sent directly to the cybercriminal and not to Amazon.
Once they provided their information to the scammers, victims were redirected back to the actual Amazon home page, none the wiser.
Clean up your browser and prevent future scams
A Deeper Look
Phishing attempts are nothing new, but this particular one was a big deal because it got past the basic email filtering. How is that possible, and what else made this phishing scam unique?
This phishing email didn’t follow the same rules as traditional phishing attacks.
Both the sender’s name and the email address domain indicated that the email came from a legitimate third-party vendor account via amazon. Because of this, it was able to successfully pass email provider authentication checks.
The domain used for this email (blommaflicka.com) is a legitimate Amazon seller. They operate a floral design company in the US state of Vermont. While this hasn’t been confirmed, it’s possible that attackers got a hold of a Blomma Flicka Flowers employee’s login credentials and used the email to launch their attack.
The phishing link provided in the email wasn’t yet discovered as a malicious link.
When victims received the email requesting that they update their billing information, they were brought to a website created using Square, a popular website builder. This website was created on July 7th, the same day that the phishing email began circulating. For traditional antivirus programs to pick up on bad sites, they need to first know that it exists, then add the block to their blacklist. In this case, the website was simply too new to be detected, and as such, it wasn’t flagged.
The phishing website was an exact replica of the Amazon website.
Most phishing websites contain minute differences that typically set off some red flags. In this case, not only did the website appear as an exact match to the Amazon website, but at the end of the phishing flow of events, users were redirected back to the main Amazon homepage.
How Can I Avoid Being Victim to Advanced Phishing Attacks?
Phishing attacks aren’t going anywhere any time soon. Because of this, its important to make sure that you learn all you can about phishing because successful attacks can lead to the loss of funds in your bank account, fraudulent charges on your bank account, and identity theft. Here are things that you can do to stay ahead of attackers and protect yourself from phishing attacks:
Stay up to date on the tactics that attackers use to conduct phishing attacks.
You can learn more about phishing scams in our article: Phishing Explained: Everything You Need to Know About Phishing Scams. And go by these 2 rules to spot nearly every phishing scam.
Use browser protection.
In this instance, the phishing website was too new for traditional antivirus programs to identify that the website was fraudulent. Browser protection tools like Guardio warn you when a website you visit is too new to be trusted. In the case of this Amazon lookalike website, most of us know that Amazon has been around for a long time--since 1994, in fact.
Look Out for URGENT Emails.
Criminals prey on our fears and know that if they urge us to act fast, we’re more likely to compromise our better judgment for fear of what might happen if we don’t take action right away. In this case, users were warned that their order would be canceled if they didn’t update their billing information within 3 days.
Look Out for Spelling and Grammar Mistakes.
Legitimate organizations have editors and numerous team members reviewing each email that they send. While everyone makes a mistake here or there, a legitimate organization isn’t going to send an email that includes multiple spelling or grammar mistakes. They’re going to read the email over and make those corrections well before the email reaches your inbox.
Double-check the URL for the page that you’re visiting.
While the website may appear identical, as was the case with this Amazon phishing scam, if victims had checked the URL first, they would have seen that they were not on the real Amazon website.
Make Sure You’re On a Secure Page Before Entering Personal Data.
On Google Chrome, for example, a lock sign shows you that a site is secure, while a red triangle means that the site could be dangerous. Learn more about this here. You should always see HTTPS as opposed to HTTP at the beginning of the URL. The “S” stands for “secure.”