By Adri Andaya, Cofense Phishing Defense Center
With today's dynamic and continuously evolving cyber environment, numerous services and platforms have emerged to enhance convenience for thousands of users in their daily lives. A great example is Amazon Prime which offers access to streaming services, a dependable shopping platform, and gaming content. However, users must subscribe to the service and pay a fee to enjoy these benefits.
The Cofense Phishing Defense Center (PDC) has observed various phishing tactics targeting popular platforms like Netflix, Spotify, and YouTube, exploiting their large user bases through malicious redirects or imitation. Recently, the PDC identified a phishing scheme aimed at Amazon Prime users. This tactic not only targets login credentials but also seeks additional details, such as verification information and payment data, for illicit purposes.
Figure 1: Email Body
This threat was delivered via an email that appears to be a legitimate notification from Amazon Prime notifying the user that their payment method has expired or is no longer valid. As you can see in Figure 1, the sender’s address has been spoofed to “Prime Notification” with the original address being a lesser-known domain that is not associated with Amazon. The subject line seems ordinary and conveys to the recipient that the subscription is due for renewal. The email body includes a notification that closely resembles a legitimate message from Amazon, featuring the Amazon logo, familiar wording, a prompt to update the user’s information, and even a corporate footer. These tactics are often employed by threat actors to foster a false sense of security and avoid raising suspicions from the recipient. This email attempts to create a sense of urgency for the recipient who may be compelled to click on the button to check their payment information.
Figure 2: Fake Amazon Security Alert
When the user clicks the button to update their information, they will be redirected to a page that contains an Amazon security verification notice, as seen in Figure 2, which may further deceive the recipient. One of the first red flags recipients should look for is the URL, as it reveals that they have been redirected to Google Docs instead of Amazon’s legitimate website, which should immediately raise suspicion among the recipients.
In addition, it is highly unlikely that a user would be asked to update their payment information directly from an email, as the usual process requires logging into their account before making any necessary changes. This ensures security, given that the information being entered is highly sensitive. Furthermore, Amazon provides warnings to its users to verify the email sender to help protect against both phishing attacks and scams, as well as to ensure that they are receiving legitimate notifications from Amazon.
Figure 3: Amazon Login Page
Once the recipient gets past the fake security notice, they will be presented with a fake Amazon login page shown in Figure 3 which is used by the threat actor to steal credentials. Users should always double-check when logging into websites and ensure that additional security measures, such as multi-factor authentication, are enabled for an extra layer of protection in case credentials are leaked. Simple yet effective methods include verifying the URL in the address bar to confirm it is correct and saving the legitimate URL to bookmarks to facilitate safe logins.
Figure 4: Credential Update Page
Once the credentials have been entered, the user will be directed to a credential update page, which contains a disclaimer and a couple of procedures, as shown in Figure 4. This page is suspect because normally after users have entered their credentials, they should be prompted with the main page where they can interact with the usual Amazon interface. Instead, they are directed to a page that prompts them to secure their account. Keen eyes should be able to spot the grammatical error in the warning, as minor mistakes are often common among phishing websites. Being attentive to details like this can be beneficial in identifying potential scams or phishing websites.
.PNG "Figure5-(1).PNG")
Figure 5: Personal Information Phishing Page
As seen in Figure 5, the recipient is asked for the following information: mother’s maiden name, date of birth, and phone number. A mother's maiden name is a common security question and can be exploited to bypass additional authentication measures. Meanwhile, the phone number serves as a direct channel for communication, especially when one-time passcodes or call verifications are required. Given their significance, these key details should be treated with utmost importance and only provided to trusted sources.
Figure 6: Address Phishing Page
In Figure 6, the threat actor attempts to get the victim’s billing address. By obtaining the recipient’s residential details, threat actors can submit a request to change the victim’s address with postal services, redirecting mail and packages to another location. This allows them to intercept sensitive documents, financial statements, or packages that contain valuable items. Additionally, these details can be leveraged for identity theft. Moreover, they could use the recipient’s compromised information to conduct physical surveillance, which could potentially lead to robbery. Although the chances may be low, it remains a possibility.
Figure 7: Payment Information Phishing Page
As observed in Figure 7, the phishing site seeks to obtain the user’s debit or credit card details. This includes the usual information, such as the cardholder’s name, card number, security code, and expiration date. If these details are compromised, threat actors could use the information to initiate and authorize multiple transactions. Users should promptly contact their banks if they believe they have fallen victim to scams or phishing sites or if they have noticed unfamiliar transactions. This enables the appropriate authorities to monitor incoming transactions and take appropriate action if necessary.
It is important to verify whether the sender is one of Amazon’s genuine corporate emails or, in the case of SMS notifications, one of Amazon’s registered numbers. Another way to ensure account integrity is by logging into your Amazon Prime account to confirm the legitimacy of these notifications or to verify that your registered information is up to date. You may also reach out to appropriate channels, such as Amazon’s customer service team, for any related inquiries.
Figure 8: Fake Confirmation Page
What makes this phishing campaign unique is that, in addition to gathering the usual login credentials, it also requests additional information that could assist the threat actor during verification processes. For unsuspecting individuals, the resemblance to the legitimate website can be uncanny. However, many regular Amazon Prime users may be suspicious of the process, especially since it redirects them to an immediate login page that prompts them to “make changes” to their payment details. With a steady rise in phishing and scams that are related to popular services, being informed and educated would help us prevent falling victim to such tactics. These services, after all, require their user’s personal info and banking details. We should consider it as one of our online personal identities that must be kept secure from individuals seeking the chance to use them for their own intent. Online users tend to be complacent as they get familiar with the procedures that are related to a platform or service and may become susceptible to scams or phishes.
Obtained credentials may be sold on the dark web by the group or individual behind the phishing scheme. These credentials can be used for several purposes, such as unauthorized access, financial fraud, phishing attacks, and data theft. Additionally, sensitive information sent to your email address may also be compromised.
Carefully crafted phishing schemes, such as these, can sometimes go undetected by other automated security measures and are delivered straight to an individual’s inbox under the pretense that they are non-malicious. The Cofense Phishing and Defense Center can analyze this type of phishing tactic in real-time. This allows an organization to be more confident in its overall security posture as one seemingly harmless email could lead to severe consequences when left unchecked.
Indicators of Compromise | IP |
hXXps[:][//]docs[.]google[.]com[/]drawings[/]d[/]1rSqoqN1uTTbP4qnfKzx2ZbvS0ACejeywUyBBw2FMggU[/]preview | 172.253.122.102 |
hXXps://www[.]google[.]com/url?q=hXXps://l[.]wl[.]co/l?u%3DhXXps://qr-codes[.]io/unPek2&sa=D&source=editors&ust=1730236183327166&usg=AOvVaw2aIfuYyrhGCLMJoZ_CIJvl
| 172.253.115.106 |
hXXps://qr-codes[.]io/unPek2
| 3.167.99.19 3.167.99.113 |
hXXps[://]recordzonerequiredaccountpaneluseraccpymntnew[.]srilankan[.]com[.]mv/signin?verify=cr51_23764 | 54.170.193.1 |
All third-party trademarks referenced by Cofense whether in logo form, name form, product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding the circumvention of end-point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog, are registered trademarks or trademarks of Cofense Inc.