Blox Tales #8: Amazon Credential Phishing

Arjun Sambamoorthy
Threat Research /
Blox Tales #8: Amazon Credential Phishing

Each Blox Tale will take a look at a targeted email attack, outline why it made its way into an inbox, and highlight how Armorblox was able to detect the attack. In this blog, we’ll focus on a credential phishing attempt where attackers sent an email resembling an Amazon delivery order failure. The email came from a legitimate third-party vendor account and included a link to update Amazon billing information. Clicking on the link led victims to a fully fledged Amazon lookalike site with a phishing flow that aimed to steal login credentials, billing address information, and credit card details.

A summary of the attack flow is given below:


The Attack

A few days ago, we saw a credential phishing attempt to land in multiple customer inboxes. This email came from a legitimate third-party vendor but impersonated Amazon, informing readers that their Amazon order had failed to ship. The email informed readers that their order will be cancelled if they don’t update their payment details within 3 days, furthering the sense of urgency. When victims clicked the ‘Update my billing’ link, they were led to a fully fledged Amazon lookalike website with a phishing flow that asked them to part with their Amazon login credentials, billing address, and credit card details. Once the phishing flow was complete, victims were redirected to the real Amazon home page, none the wiser about being compromised.

A screenshot of the email is given below:


Fig: Email where attackers impersonate Amazon and share a link to update billing information. Some Armorblox detection highlights are included in the screenshot.

Why The Attack Got Through

This email got past existing email security controls because it didn’t follow the tenets of more traditional phishing attacks.

1. Got past email authentication checks

Both the sender name and domain seem to point that the email came from a legitimate third-party vendor’s account, allowing it to successfully pass any authentication checks. The domain for the email - blommaflicka[.]com’ - is a floral design company based out of Vermont. It’s possible that attackers got hold of an employee’s credentials at Blomma Flicka Flowers and subsequently used the legitimate email account to launch follow-on attacks.


Fig: Email header showing the (legitimate) domain of the sender and the email title

2. Zero-day phishing site

When victims clicked on the ‘Update by billing’ link in the email, they were redirected to a page resembling the Amazon login portal. The parent domain for this page - sttppcappr[.]com - was created on 7 July 2020. This zero-day link allowed the attack to pass through any security filters designed to block known bad domains. More details about this domain are given below. The lookalike website seems to have been created using Squarespace, a popular website building software.


Fig: WhoIs record for the parent phishing domain

3. Lookalike website with full login flow

At first glance, there’s very little to separate the phishing site from the legitimate Amazon website. The first page victims see after clicking the link in the email is a login portal. Upon closer inspection, you will notice the ‘Dangerous’ warning on the browser tab next to the domain; you will also notice the domain itself - sttppcappr[.]com - is clearly not an amazon domain. But attackers bank on victims being in a rush and not engaging with the email or the phishing flow with the rational, slower-thinking part of their brains.


Fig: Start of the phishing flow asking for Amazon account credentials

Once victims fill in their login details, they are redirected to what looks like the Amazon home page. This is a lookalike website under the same zero-day domain. The phishing flow continues with a pop-up window asking victims to update all their account details before they can access their account. These next few screens look a lot like something you’d see on legitimate ecommerce websites, and this superficial legitimacy enables attackers to harvest their targets’ billing addresses and credit card information in addition to their Amazon account details.


Fig: Phishing flow asking targets to fill in their billing address


Fig: Phishing flow asking targets to fill in their credit card information

Once the victims have filled in all their information, the phishing flow ends with a message of ‘success’ and an automatic redirection to the real Amazon homepage. This redirection may make people shrug their shoulders and log in to Amazon again (but for real this time), unaware that they’ve just been phished.


Fig: End of the phishing flow (this page redirects to the real Amazon home page)

4. Socially engineered

Unlike spray-and-pray email fraud attempts, this email was expressly created and sent to trigger the required response. The email sender name was ‘Support Reply’, which isn’t an exact replication of an Amazon automated email but still ‘robotic’ enough to pass our subconscious eye tests. The email language and topic was intended to induce urgency owing to its financial nature (an Amazon order not shipping). The call to action - Update my billing - is simple and effective. The email informs readers that their order will be cancelled if they don’t update their payment details within 3 days, furthering the sense of urgency.

How Armorblox Detected The Attack

Armorblox was able to detect the email attack based on the following insights:

1. Language, intent, and tone

Armorblox language models have been trained on tons of data and further customized to suit every customer environment. These models analyzed the email body and detected that there was an unusual request made in the email (which is a common trait in business email compromise attacks). Armorblox language models also detected a sense of urgency and a bevy of financial terms used in the email.

2. Low communication history

Armorblox detected that the sender email in question had a low communication history with the victim’s email account. While not a violation in itself, this insight is critical when compared with other unusual signals and can catch highly targeted attacks.

3. Low domain frequency

Armorblox ML models have three tiers - a global model, an organization-specific model, and a mailbox-specific model. While the mailbox-specific model was able to detect low communication history between the sender and the receiver, the organization-specific model also detected that the attacker’s domain had not communicated with the target company as a whole.

Based on the insights above, along with many other detection signals, Armorblox flagged the email as a credential phishing threat. The email was automatically deleted based on predetermined remediation actions for the credential phishing detection category.

Stay tuned for more Blox Tales! If you’re interested to see Armorblox in action, schedule a demo with one of our email security experts below.

Schedule Demo

Read This Next