Amazon in the era of COVID-19 has become a staple of many people’s lives, as they order everything from sourdough starter to exercise equipment. Cybercrooks have latched onto the delivery behemoth as a lure for phishing emails, knowing that plenty of legitimate delivery messages are also making it into people’s inboxes and offering cover.
Researchers at Armorblox recently spotted a pair of savvy campaigns leveraging Amazon: A credential-phishing attempt using a purported Amazon delivery order failure notice; and a voice phishing (vishing) attempt also using Amazon delivery order. Both are examples of the ever-more sophisticated phishing efforts being developed by fraudsters that are aimed at gaming traditional email security efforts, researchers said.
In the first campaign, the email came from a third-party vendor email account that had been compromised or otherwise domain-spoofed, according to Armorblox – specifically, Blomma Flicka Flowers, which is a floral design company based out of Vermont (now alerted to the issue). Thus, if a recipient checked the sender domain, they would find it to be legitimate.
“The sender name and domain seem to point that the email came from a legitimate third-party vendor’s account, allowing it to successfully pass [standard] authentication checks,” said Arjun Sambamoorthy, co-founder and head of engineering at Armorblox, writing in a Thursday post.
The email informed readers that their order would be cancelled if they didn’t update their payment details within three days, contributing a sense of urgency (one of the oldest tactics used in phishing). It also included a link to “update Amazon billing information.”
Clicking on the link led victims to a full-fledged Amazon lookalike site with a phishing flow that aimed to steal login credentials, billing address information and credit-card details, according to Armorblox. Once the phish was complete, victims were redirected to the real Amazon home page, none the wiser about being compromised.
The phishing site fell into the category of what researchers call “zero-day” sites – i.e., newly created domains that haven’t been around long enough to be flagged as suspicious. In this case, the parent domain for the Amazon lookalike page – sttppcappr[.]com – had been created and pressed into service almost immediately using website-in-a-box software, according to the researchers.
“There is very little to separate the phishing site from the legitimate Amazon website,” explained Sambamoorthy. “The first page victims see after clicking the link in the email is a login portal. Upon closer inspection, you will notice the ‘Dangerous’ warning on the browser tab next to the domain; you will also notice the domain itself – sttppcappr[.]com – is clearly not an Amazon domain. But attackers bank on victims being in a rush and not engaging with the email or the phishing flow with the rational, slower-thinking part of their brains.”
On the social-engineering front, he added, “The email sender name was ‘Support Reply’, which isn’t an exact replication of an Amazon automated email but still ‘robotic’ enough to pass our subconscious eye tests.”
In the second campaign, attackers sent emails purporting to communicate about an Amazon delivery order. The email included a phone number for the ‘Fraud Protection Team’ to call in case the order was fraudulent.
The “vish” part comes in because the call to action is for recipients to make a call – which connected to a real person on the other end whose goal was to extract as much information from the victim as possible.
“Adversaries set up a phone line to follow through on this attack,” Sambamoorthy said in another posting on Thursday. “The Armorblox research team called the number listed for the ‘Fraud Protection Team’ from a disposable Google Voice number. A real person answered the call and pretended to be from the Amazon fraud protection team. They asked for the order number, name and credit-card details before cutting our call and blocking our number. The full vishing flow might well have involved the extraction of other sensitive personal information as well.”
According to Armorblox, the initial emails came from a Gmail account that impersonated Amazon, informing readers that their Amazon order had shipped.
“Although the sender name – ‘No Reply Amazon Com’ – was impersonated, the email was sent from a personal Gmail account,” Sambamoorthy explained. “This resulted in the email successfully passing all authentication checks such as SPF, DKIM and DMARC [since no addresses were spoofed].”
Because this was a vishing effort, the emails didn’t contain any malicious or suspicious links – thus, the researcher noted, the mails successfully passed through any filters and analysis engines that could block bad links. To boot, the email look and language did an effective job impersonating Amazon, according to the research.
“The fake order in question was over $6,000, furthering the sense of urgency to follow through on the email. The call to action – phoning the Fraud Protection Team – is clearly communicated. Since none of the other links work, this call to action is the only one victims can take after reading the email,” Sambamoorthy said.