Good day, welcome to another bulletin from Breaking Scams…
Scam, just in…
When I first saw the Amazon spoof email in my inbox it confused me. The content was empty except for a dash (see first email below – red arrow pointing to the dash). The email purported to be from Amazon stating that I needed to recover my account now.
As I went to open it fully, I accidentally clicked in the body content part of the email. This instantly opened a browser, which I quickly closed before it fully opened.
I moved the email to my quarantine folder so I could look more closely at it. As soon as I did, the email content, which was a graphic, downloaded and opened in the body of the email to reveal what it was actually trying to spoof – an Amazon email about my account (see email 2 below).
How to tell this is an Amazon scam email
The email had various signs it was a scam email:
The email title was a dead giveaway:
“[Action required]: mynamefrommyemailaddress, Recover Your Amazon.com Account Now”
The email was prompting me to recover my Amazon account.
Account recovery scam emails are a common form of a phishing email. They use a ‘sense of concern’ for a possibly hacked account, coupled with a ‘sense of urgency’ using prompts such as “action required” or ‘act now’ or ‘immediate attention needed’.
The sender’s email address
Although it looked like it was from Amazon, the email address seemingly from amazon.com, when expanded the address was actually, firstname.lastname@example.org
The body content
The content of the email focused on my account. There was the suggestion that there had been a security breach and my account was now suspended. To restore my account, I had to log in within 2-days.
What was interesting about this scam, was the fact the entire body content, including text, was an image. Many scam messages use a mix of text with individual buttons or hyperlinked text presented. The victim has to click on the button or hyperlink to initiate the opening of a spoof site. This scam message meant that if I clicked anywhere in the body of the email the spoof page open action would initiate.
This is particularly sinister as an accidental click (as in my first encounter) would begin the process – no need to trick the user into a deliberate click of a button.
What is the result of clicking this scam email message?
At first, I thought the scam might take me to an exploit kit. This is a site that uses automated scanning software to identify vulnerabilities in a browser or related software. It then exploits these vulnerabilities, running malware and infecting your machine.
To test the site for any malware or exploit kits, I copied the link (using a right-click) and removed my email address from the link query string. I then used tools offered by and to run a check against the link. The results showed me no malware was present:
NOTE: Often links to spoof sites from phishing emails will contain your email address in the query string so that the scammers know where the click has originated. They will then know you are a vulnerable person likely to fall for a scam.
The spoof site was not an exploit kit but instead, it was being used to collect login credentials. If I had followed through with the click, I’d have been asked to enter my Amazon login credentials which would have been passed immediately to the scammer who would have used them to hijack my account.
The moral of the story is to be careful of clicking anywhere in an email, not just links. If it looks suspicious, check the email sender’s address first. If in doubt, either contact the company up or go directly to your account by manually typing the address into a browser and checking the status there. Most organisations will have online messages associated with an account if there is a problem.
Why not help your colleagues stay safe and send them this little reminder. Feel free to edit, copy/paste the advice below:
The Amazon Scam
A scam email which looks like it is from Amazon may drop into your inbox. Be very careful about this email. Clicking anywhere in the body of the email will open a spoof site. Do not under any circumstances enter your Amazon login credentials to their site – they will end up being stolen by a cybercriminal.
If in doubt, contact Amazon or manually type Amazon’s URL into a browser and log in to your account to see if there are any issues.
Don’t forget to share this with your colleagues and friends and help them stay safe.
Let’s keeping breaking scams!
Let the Defence Works help your business avoid cyber security breaches – sign up for a free security awareness training demo, today.