This blog highlights two Amazon vishing (voice phishing) attacks that attempted to steal credit card details by sending fake order receipts and including phone numbers to call for processing returns.
Over the past year, the common public has gotten so used to shopping online that Amazon orders are now either made from muscle memory or in consumerist fugue states. I’ve personally had packages show up at my doorstep that I barely remembered ordering (A 6-foot cat plushy? I guess I can fit it somewhere in my living room), and had other occasions where I clicked the ‘Order’ button before immediately regretting it (A 12-foot cat plushy? Might be too much). And it’s this omnipresence of online shopping receipts in our lives and inboxes that cybercriminals continue to exploit.
In today’s Blox Tale, we will look at two Amazon vishing attacks that attempted to steal victims’ credit card details by sending fake order receipts and including phone numbers to call for processing order returns.
Before we go through the attacks in greater detail, a brief description of vishing for the uninitiated: vishing (or voice phishing) is a type of scam where malicious actors steal personal information from victims over the phone or by leaving fraudulent voice messages. Armorblox has reported on an Amazon vishing attack from last year that you can read here.
Now let’s focus on the attacks at hand:
Amazon Vishing Attack 1
Org mailboxes: ~9,000
Email security bypassed: Exchange Online Protection (EOP), Microsoft Defender for Office 365 (MSDO)
Techniques used: Social engineering, brand impersonation, replicating existing workflows, vishing (no URLs in email), using a Gmail address
This email attack bypassed native Microsoft email security controls. Microsoft assigned a Spam Confidence Level (SCL) of ‘1’ to the email, which meant the email was determined to not be spam by Office 365 and delivered to recipients’ inboxes.
The Email
The email was sent from a Gmail account and was titled ‘Invoice:ID’ followed by a long and genuine looking invoice number. The email contained HTML stylings similar to genuine emails sent from Amazon, and included information on an LG OLED TV and XBOX game console purportedly purchased by the victim.
A snapshot of the email is given below:
Fig: Email impersonating Amazon and including a phone number to call
Near the bottom of the email, notice the ‘AMAZ0N TEAM’ with a zero instead of the letter O. This is a simple but effective technique used by attackers to slip past any deterministic filters or blocklists that check for brand names being impersonated.
Vishing Flow
Although the email seems like it has a link, the CTA button is actually just a PNG file without a URL. The real payload in this email is the ‘Contact Us’ phone number included in the body. The Armorblox research team called this number from a disposable Google Voice number. A real person answered the call and pretended to be from the Amazon team. They asked for the order number, name, and credit card details before cutting our call and blocking our number. The full vishing flow might well have involved the extraction of other sensitive personal information as well.
Amazon Vishing Attack 2
Org mailboxes: ~4,000
Email security bypassed: Exchange Online Protection (EOP), Microsoft Defender for Office 365 (MSDO)
Techniques used: Social engineering, brand impersonation, replicating existing workflows, vishing (no URLs in email)
This email attack bypassed native Microsoft email security controls. Microsoft assigned a Spam Confidence Level (SCL) of ‘1’ to the email, which meant the email was determined to not be spam by Office 365 and delivered to recipients’ inboxes.
The Email
The email was sent from a spoofed email ID ‘no-reply@amzeinfo[.]com’ with enough surface-level similarity to an Amazon email address to pass the eye tests of unsuspecting and busy victims. The email was titled ‘A shipment with goods is being delivered’ along with a random order number to increase the legitimacy of the communication.
A snapshot of the email is given below:
Fig: Vishing email impersonating an Amazon order confirmation
Just like with the other vishing email, this email also did not contain any links or other conventional payloads. The only payload was a phone number included in the mail body, inviting victims to call the number if they wanted to place a return request.
Unlike the previous vishing attack, calling the number listed on this email was met with an endless ringtone at first. A few hours later, the number seemed to have been taken down. It’s important to note that the technique here matters as much as (if not more than) the outcome. If the number here was taken down, it’s very easy for the attackers to stand up another number and repeat the attack flow, because they know the email is getting past Office 365 email security.
Summary of techniques used
These email attacks employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting end users.
- Social engineering: The email titles, sender names, and content aimed to induce a sense of trust and urgency in the victims - a sense of trust because the emails claimed to come from Amazon, and a sense of urgency because they contained information on expensive online orders that the victims hadn’t made, and thus would be eager to reverse. The second vishing email included the victims’ email addresses in the mail body as well, further adding to the legitimacy of the conversation.
- Brand impersonation: Both vishing emails are replete with Amazon branding and follow a structure similar to real order confirmation emails from Amazon. The sender domain in the second vishing email bore surface-level similarities with real Amazon mail addresses.
- No URLs or conventional payloads: Both emails didn’t include any links or other conventional calls to action, which enabled them to bypass any detection controls that block known bad links. Including phone numbers as the payload makes the victim an active participant and continues the attack flow beyond the visibility of any email security solution.
- Replicating existing workflows: The context for both email attacks replicates workflows that already exist in our daily lives (ordering things online). When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action.
- Using Gmail address: The first vishing email was sent from a Gmail address, allowing it to successfully pass email authentication checks. Attackers regularly bypass email authentication controls by sending malicious emails from Gmail, Yahoo, and Hotmail accounts.
Guidance and Recommendations
1. Augment native email security with additional controls
Both emails highlighted in this blog got past Microsoft’s Exchange Online Protection (EOP), with an assigned Spam Confidence Level (SCL) of 1, which means that Microsoft determined the emails weren’t spam and delivered them to mailboxes. For better protection coverage against email attacks (whether they’re phishing, business email compromise, or vishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2020, and should be a good starting point for your evaluation.
2. Watch out for social engineering cues
Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions. It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. Why is Amazon sending an email to my work account, why are none of the CTA buttons in the email not working etc.).
3. Be wary of sharing any sensitive information over the phone
Be very suspicious of any caller who asks for your PII or other sensitive information over the phone. If you suspect the call you’re on is a potential vishing conversation, immediately hang up and don’t feel obliged to carry on speaking or replying to questions out of politeness. If the caller provides a call-back number, avoid calling that number and instead search for a publicly available number of the company (in this case, Amazon) and call that number.
4. Follow MFA and password management best practices
Although we didn’t observe the entire vishing flow for these attacks, vishing call scripts often include attempts to extract victims’ account credentials in addition to their credit card details.
If you haven’t already, implement these hygiene best practices to minimize the impact of your credentials being leaked:
- Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
- Don’t use the same password on multiple sites/accounts.
- Use a password management software to store your account passwords.
- Avoid using passwords that tie into your publicly available information (date of birth, anniversary date etc.).
- Don’t repeat passwords across accounts or use generic passwords such as your birth date, ‘password123’, ‘YourName123’ etc.
