The Amazon brand is the darling of the scammers. Amazon is a major retail success story with around USD 232 billion (188 billion GBP) worth of sales in 2018. If you don’t use Amazon, you will know someone who does. This is why fraudsters choose the brand to head up a phishing campaign.
This week’s scam is another in the Amazon suite of scams which includes the infamous Amazon Prime Day Scam and the Amazon Flagged Account Scam. This time the emphasis is again on account security but with a slight twist that it is targeting business users.
What this Amazon Scam looks like
The email is branded as Amazon Business Services. It uses the popular social engineering trick of creating a sense of concern and urgency. It did this by telling me that my account had possibly been breached and I had 24 hours to rectify it.
Illegitimate account login attempts and account takeovers are a massive problem the world over. The number of this type of fraud has increased in line with the increasing number of data breaches. Stolen information, including login credentials, are used to attempt a login to popular online accounts, like Amazon. The technique is called “credential stuffing”.
To receive an email that shows an attempt to login to an Amazon account is, therefore, not far-fetched. In other words, the cybercriminals are like a double agent, playing your anxiety off against a real threat whilst perpetuating the threat. It just makes business sense to them.
As usual, the tell-tale signs of phishing are there, including:
- The email is badly written and has a number of misspelled words
- The sender’s email address is obviously not an Amazon domain
- The salutation is not personalised
What happens when you click the link?
What is particularly cheeky and simple about this scam email is that the link takes you to a website that does not contain any malware itself. Instead, this is a site to collect data. The email states that:
“We have prepared a form to update your billing request…”
The website then asks you to enter your billing data. If you do so, it is sent to the fraudster behind the scam to use in identity theft.
One important note…
Opening the source for the email revealed that the content of the email was encoded in such a way that it displayed correctly in HTML, but when viewed in notepad or similar, it looked like gibberish.
The sentence “We have prepared a form to update your billing request…” which I re-wrote, when copied and pasted displays this:
WNJPMIMTRDIeJeTe73By hJeTe73ByaJeTe73ByvNJPMIMTRDIeJeTe73By pNJPMIMTRDIrJeTe73ByeJeTe73BypNJPMIMTRDIaJeTe73ByrJeTe73ByeJeTe73BydJeTe73By aJeTe73By fNJPMIMTRDIoJeTe73ByrJeTe73BymNJPMIMTRDI fNJPMIMTRDIoJeTe73ByrJeTe73By yJeTe73ByoJeTe73ByuJeTe73By tNJPMIMTRDIoJeTe73By uJeTe73BypNJPMIMTRDIdJeTe73ByaJeTe73BytNJPMIMTRDIeJeTe73By yJeTe73ByoJeTe73ByuJeTe73ByrJeTe73By bNJPMIMTRDIiNJPMIMTRDIlNJPMIMTRDIlNJPMIMTRDIiNJPMIMTRDInJeTe73BygNJPMIMTRDI aJeTe73BydJeTe73BydJeTe73ByrJeTe73ByeJeTe73BysNJPMIMTRDIsNJPMIMTRDI
My guess is the fraudsters have used this obfuscation technique to evade detection by an email gateway. As this is an email targeting corporate Amazon users, this makes sense. Email gateways are often used as a defence against phishing. However, fraudsters always find ways to avoid detection.
This is why security awareness training should always be used alongside technological measures.
Why not help your colleagues stay safe and send them this little reminder. Feel free to edit, copy/paste the advice below:
Another Amazon Scam
An Amazon Scam targeting business users, in particular, is popping up in our inboxes. The email looks like it is from Email Business Services stating that there has been an unauthorised access attempt on your account. However, it is a scam attempting to steal billing data. Take great caution with any emails of this nature.
DO NOT CLICK ANY LINKS IN THE EMAIL
For more information on what to do if you receive a phishing email check out “What to Do if You Click on a Phishing Link?”