As we approach Amazon Prime Day on July 16-17, 2024, online shoppers eagerly anticipate incredible deals and exclusive offers. In 2023, Prime members purchased more than 375 million items worldwide and saved over US$2.5 billion on millions of deals, making it the biggest Prime Day event ever (US About Amazon).
However, amidst the excitement, there is an underlying risk that cannot be ignored. Cybercriminals leverage this occasion to carry out phishing attacks, preying on unsuspecting shoppers. These attackers employ deceptive tactics, such as sending fake emails or creating fraudulent websites, aiming to steal personal information or financial credentials. While Prime Day offers incredible savings, it is crucial for shoppers to remain vigilant, exercise caution while clicking on links or providing sensitive information, and ensure they are navigating legitimate platforms.
How Phishing Works
Phishing attacks often begin with a message sent via email, social media, or other electronic communication means. Cybercriminals use public resources like social networks to gather background information about their victims, which helps them craft convincing fake messages. These messages typically contain malicious attachments or links to fake websites that appear to be owned by trusted entities like Amazon. The goal is to collect private information such as usernames, passwords, or payment details.
Alarming findings on domain registration and phishing attacks
Ahead of Amazon Prime Day in July 2024, we observed a significant increase in cyberattacks related to Amazon Brand.
During June 2024, more than 1,230 new domains associated with Amazon emerged, with 85% flagged as malicious or suspected to be malicious. Examples of these newly malicious created malicious sites include:
- amazon-onboarding[.]com is a newly registered fraudulent site designed as a phishing page pretending to be Amazon, specifically targeting carrier-related credentials.
- amazonmxc[.]shop is a counterfeit Amazon Mexico website, designed as a replica of amazon.com.mx. It features a profile login button in the top right corner that, when clicked, collects users’ login credentials.
- amazonindo[.]com is a fraudulent Amazon website. It features a profile login/registration button in the top right corner that, upon clicking, collects users’ login credentials.
And more:
- shopamazon2[.]com
- microsoft-amazon[.]shop
- amazonapp[.]nl
- shopamazon3[.]com
- amazon-billing[.]top
- amazonshop1[.]com
- fedexamazonus[.]top
- amazonupdator[.]com
- amazon-in[.]net
- espaces-amazon-fr[.]com
- usiamazon[.]com
- amazonhafs[.]buzz
- usps-amazon-us[.]top
- amazon-entrega[.]info
- amazon-vip[.]xyz
- paqueta-amazon[.]com
- connect-amazon[.]com
- user-amazon-id[.]com
- amazon762[.]cc
- amazoneuroslr[.]com
- amazonw-dwfawpapf[.]top
- amazonprimevidéo[.]com
File phishing attempt example
In June 2024, we discovered a widespread phishing campaign mimicking the Amazon brand, particularly targeting the US. The campaign distributed files with the following MD5 hash: 39af8a116a252a8aaf2328e661b2d5a2. One example file is named Mail-AmazonReports-73074[264].pdf.
The file’s content lures victims by urgently informing them that their Amazon account has been suspended due to mismatched billing information with their card issuer. It instructs them to update their payment details through a phishing link: trk[.]klclick3[.]com, that directs them to a fraudulent website. The message threatens closure of the account if immediate action is not taken, creating a sense of urgency to prompt the user to respond quickly, fearing data exposure or account termination as consequences of non-compliance.
Site phishing attempt example
In June 2024, a Portuguese phishing attempt mimicking Amazon was detected. The fraudulent email claimed a payment failure for an Amazon Prime Video order (#D04-0005691-32024) and included a deceptive link: http://20[.]212[.]168[.]117/br-pt/primevideo/.
The phishing site masquerades as an Amazon login page, prompting users to enter their login credentials under the guise of being genuine Amazon. However, this site is not affiliated with Amazon and aims to deceive users into disclosing their account details.
How to Stay Safe Shopping Online on Amazon Prime Day
To help online shoppers stay safe this year, Check Point researchers have outlined practical security and safety tips:
- Check URLs Carefully: Be wary of misspellings or sites using a different top-level domain (e.g., .co instead of .com). These copycat sites may look attractive but are designed to steal your data.
- Create Strong Passwords: Ensure your Amazon.com password is strong and uncrackable before Prime Day to protect your account.
- Look for HTTPS: Verify that the website URL starts with “https://” and has a padlock icon, indicating a secure connection.
- Limit Personal Information: Avoid sharing unnecessary personal details like your birthday or social security number with online retailers.
- Be Cautious with Emails: Phishing attacks often use urgent language to trick you into clicking links or downloading attachments. Always verify the source.
- Skeptical of Unrealistic Deals: If a deal seems too good to be true, it likely is. Trust your instincts and avoid suspicious offers.
- Use Credit Cards: Prefer credit cards over debit cards for online shopping as they offer better protection and less liability if stolen.