AMAZON PRIME DAY IS JUST AROUND THE CORNER
Amazon Prime Day, a highly anticipated event for online shoppers, presents a prime opportunity for cybercriminals to exploit unsuspecting users. The year 2023 is no exception, as we witness a surge in phishing campaigns that aim to deceive users and steal their valuable credentials. These campaigns employ traditional phishing methods, such as:
This article sheds light on the growing cyber risks coinciding with online shopping deal days and emphasizes the need for vigilance and caution when navigating the online shopping landscape on Amazon Prime Day and beyond. Read on for a deep dive into the four main phishing campaigns Bolster researchers have been tracking.
PDF-BASED PHISHING CAMPAIGNS
One prevalent method employed by cybercriminals during Amazon Prime Day promotions involves the use of PDF files as attachments. These files bear innocent-sounding names like “Amazon Prime Learning English Recommendations” or “Axis Bank Credit Card Amazon Prime Offer,” designed to appear legitimate.
However, upon opening the PDF, unsuspecting users are directed to phishing websites meticulously crafted to mimic the official Amazon login page. The attackers employ AI-generated text, such as chatGPT-generated content, to make the phishing sites look convincing.
Naive users who click on the links within the PDF unknowingly provide their credentials to the attackers.
EMAIL-BASED SPEAR-PHISHING CAMPAIGNS
A particularly alarming campaign has recently emerged involving phishing links embedded directly within emails along with a docx file containing a trojan. This massive spear-phishing campaign is rapidly growing, with hundreds of users falling victim to it every day.
The emails are skillfully designed to resemble legitimate communications from Amazon, enticing users to take immediate action. For instance, subject lines like “Cancel Your Amazon Prime Membership Before the Annual Renewal” trigger a sense of urgency.
As in any spear-phishing attack, there is a two-pronged approach. Upon opening the attached docx file, users unwittingly unleash trojan malware disguised within the seemingly harmless document where it infiltrates the victim’s system and grants unauthorized access to attackers. From there, the attackers can compromise sensitive information, monitor activities, or even gain control over the infected device.
Additionally, clicking on the provided links takes users to fraudulent websites closely resembling the official Amazon page. If a user enters their credentials, they unknowingly hand them over to the attackers.
MALICIOUS APPLICATIONS IMPERSONATING AMAZON APPS
In addition to the PDF and email-based phishing campaigns, cybercriminals are capitalizing on the widespread use of mobile devices for online shopping. They create malicious applications that closely mimic legitimate Amazon apps, exploiting users’ trust in well-known brands.
These deceptive applications request excessive permissions, such as recording audio, sending SMS messages, accessing precise location, accessing the camera, and reading contact data. Once installed, these malicious apps gain unauthorized access to users’ devices, compromising their privacy and potentially leading to data theft.
BUILDING LOOKALIKE DOMAINS
Another concerning trend observed is the proliferation of lookalike domains. Attackers continue to create websites that closely resemble official Amazon domains, intending to deceive users into sharing their sensitive information.
These domains may be used in future phishing campaigns and pose a significant threat to unsuspecting Amazon buyers. In 2023, just a few days before Amazon Prime Day, the number of lookalike domains increased by 12.5% from the previous year, reaching a count of 1,800.
This is a list of 170 domains that will likely be used in future phishing attacks related to Amazon Prime Day. The domains resemble legitimate websites but are still under construction.
List of domains
|
integrate-amazon[.]top |
|
process-amazon[.]top |
|
amazonhot[.]life |
|
amazon666[.]top |
|
amazononz[.]com |
|
amazongift[.]click |
|
amazon-au[.]life |
|
amazon-aujava[.]top |
|
amazon-auser[.]top |
|
amazonqueenslot999[.]top |
|
amazone-jp[.]buzz |
|
presaleamazontoken[.]com |
|
amazonarticleback[.]com |
|
amazonbackorder[.]com |
|
amazonbacporder[.]com |
|
amazonbreford[.]xyz |
|
amazoncomunrefund[.]com |
|
amazoncouponbac[.]com |
|
amazoncouponmac[.]com |
|
amazondotask[.]com |
|
amazonghgtjdf[.]com |
|
amazonghgtydf[.]com |
|
amazonhelpserb[.]com |
|
amazonindbacktr[.]com |
|
amazonindbacmtr[.]com |
|
amazonitrefund[.]com |
|
amazonjianzhi[.]com |
|
amazonklbghbty[.]xyz |
|
amazonkorbrefund[.]com |
|
amazonkordkefund[.]com |
|
amazonkordrefund[.]com |
|
amazonlghybacktg[.]top |
|
amazonlhrefundg[.]com |
|
amazonlhrejundg[.]com |
|
amazonloptggy[.]com |
|
amazonloytggy[.]com |
|
amazonltybvh[.]com |
|
amazonltyekh[.]com |
|
amazonltyevh[.]com |
|
amazonmr[.]com |
|
amazonmts[.]top |
|
amazonoordkgy[.]com |
|
amazonoordkgy[.]com |
|
amazonorbmfhhj[.]com |
|
amazonordbedth[.]top |
|
amazonordbkckm[.]top |
|
amazonordejeth[.]com |
|
amazonordejmgh[.]com |
|
amazonordereth[.]com |
|
amazonordermgh[.]com |
|
amazonordermoney[.]com |
|
amazonorderrefform[.]com |
|
amazonorderrefund[.]com |
|
amazonorderrmfform[.]com |
|
amazonordrefdhm[.]com |
|
amazonordrefundty[.]com |
|
amazonordretunmey[.]com |
|
amazonordrkfundty[.]com |
|
amazonoryerrefgy[.]xyz |
|
amazonplkbfc[.]com |
|
amazonpmtuvjsc[.]com |
|
amazonrainforestfacts[.]com |
|
amazonrefborde[.]com |
|
amazonrefgfhn[.]com |
|
amazonrefordlh[.]com |
|
amazonrefporde[.]com |
|
amazonrefptyg[.]com |
|
amazon-refund[.]top |
|
amazonrefundmord[.]top |
|
amazonrefundmoyr[.]com |
|
amazonrefundogf[.]com |
|
amazonrefundorder[.]com |
|
amazonrefuntjbc[.]com |
|
amazonregkvm[.]com |
|
amazonretbbh[.]com |
|
amazonretgf[.]com |
|
amazonretpf[.]com |
|
amazonretprnordermey[.]top |
|
amazonretubacord[.]com |
|
amazonretubamord[.]com |
|
amazonretubh[.]com |
|
amazonreyubh[.]com |
|
amazonreyundogf[.]com |
|
amazonrn[.]com |
|
amazonscarcegood[.]com |
|
amazonstask[.]com |
|
amazonstockrefund[.]com |
|
amazontagbgy[.]com |
|
amazontaghgy[.]com |
|
amazontayhgy[.]com |
|
amazontotask[.]com |
|
amazonuitbackt[.]com |
|
amazonuitpackt[.]com |
|
amazonunusrefund[.]com |
|
amazonunusual[.]com |
|
amazonvamjgs[.]com |
|
amazonwaresreim[.]com |
|
amazonzm[.]com |
|
prime-amazon[.]live |
|
shopamazonoffers[.]com |
|
amazonbackgtgh[.]xyz |
|
amazonbackmoneyord[.]xyz |
|
amazondfghasdb[.]xyz |
|
amazonindentgref[.]xyz |
|
amazonitbackitg[.]xyz |
|
amazonmerch[.]xyz |
|
amazonmoneyfdv[.]xyz |
|
amazonsingular[.]xyz |
|
amazonabnormal[.]xyz |
|
amazonbackjtgh[.]xyz |
|
amazonbackkoneyord[.]xyz |
|
amazonbacvkgnmj[.]top |
|
amazoncommrefund[.]top |
|
amazoncomm-refund[.]top |
|
amazon-deals[.]top |
|
amazonindentmref[.]xyz |
|
amazonityackitg[.]xyz |
|
amazonjpsetup[.]xyz |
|
amazonkoyrtyg[.]top |
|
amazonlghyjacktg[.]top |
|
amazonordbackm[.]top |
|
amazonordekrehthg[.]xyz |
|
amazonorderback[.]top |
|
amazonordergods[.]top |
|
amazonordredth[.]top |
|
amazonpgkpg[.]top |
|
amazonrefund-order[.]top |
|
amazonjpuz[.]top |
|
amazonoptjkjdf[.]xyz |
|
amazonorderrefgy[.]xyz |
|
amazonpoimdfy[.]xyz |
|
amazonretumoney[.]xyz |
|
amazonrtumoney[.]xyz |
|
amazon333[.]xyz |
|
amazonbreform[.]xyz |
|
amazongoodrefund[.]xyz |
|
amazonitbbckitg[.]xyz |
|
amazonklbphbty[.]xyz |
|
amazonkowrtyg[.]top |
|
amazonoptpkjdf[.]xyz |
|
amazonordbacklty[.]top |
|
amazonordergmds[.]top |
|
amazonoutstock[.]top |
|
amazonrefordit[.]top |
|
amazonretudngvc[.]top |
|
amazonrthbrbn[.]top |
|
amazonarticlereim[.]top |
|
amazonbacbmoneyord[.]xyz |
|
amazonbackmoneyst[.]top |
|
amazonbackordmey[.]top |
|
amazonbakordref[.]xyz |
|
amazonordbacklt[.]xyz |
|
amazonordbjcklt[.]xyz |
|
amazonordbkcklty[.]top |
|
amazonorderrehthg[.]xyz |
|
amazonorderreturn[.]xyz |
|
amazonordrefmnc[.]top |
|
amazonordrefunc[.]top |
|
amazonoryredth[.]top |
|
amazonpgkyg[.]top |
|
amazonrefujd-order[.]top |
|
amazonreturnordermey[.]top |
|
amazon-secure[.]top |
|
amazonshopping[.]top |
|
amazonsu[.]top |
|
amazonzm[.]xyz |
|
amazonnoreply[.]top |
|
amazonnoreply[.]xyz |
|
helpamazonapp[.]info |
|
amazonddksisd[.]com |
BUYERS BEWARE – TIME FOR VIGILANCE
The rise in phishing campaigns targeting busy shopping events, like Amazing Prime Day, demands increased awareness and proactive measures. Stay vigilant against PDF-based attacks, be cautious of suspicious emails, and verify the legitimacy of websites before sharing sensitive information. Furthermore, download apps only from official sources and review app permissions to ensure your privacy and security. Remember, cyber attackers are actively exploiting this time of increased online activity, but with awareness and caution, you can protect yourself and have an enjoyable shopping experience during Amazon Prime Day.
