Blox Tales #9: Amazon Vishing (Voice Phishing) Attack

Arjun Sambamoorthy
Threat Research /
Blox Tales #9: Amazon Vishing (Voice Phishing) Attack

Each Blox Tale will take a look at a targeted email attack, outline why it made its way into an inbox, and highlight how Armorblox was able to detect the attack. In this blog, we’ll focus on a vishing (voice phishing) attempt where attackers sent an email resembling an Amazon delivery order. The email included a phone number for the ‘Fraud Protection Team’ to call in case the order was fraudulent. Making the call was met with a real person on the other end who went through a vishing flow aimed at extracting as much information from the victim as possible.

The Attack

A few days ago, we saw a vishing attempt to land in multiple customer inboxes. This email came from a Gmail account but impersonated Amazon, informing readers that their Amazon order had shipped. The email included a number for the ‘Fraud Protection Team’ that readers could call if they had any questions about the order. Making the call was met with a real person on the other end of the line who impersonated the Amazon fraud protection team and went through a vishing flow aimed at extracting personal information from victims.

A screenshot of the email is given below:


Fig: Vishing email where attackers impersonate Amazon and share a phone number for the fraud protection team.

Why The Attack Got Through

This email got past existing email security controls because it didn’t follow the tenets of more traditional phishing attacks.

1. Got past email authentication checks

Although the sender name - No Reply Amazon Com - was impersonated, the email was sent from a personal Gmail account. This resulted in the email successfully passing all authentication checks such as SPF, DKIM, and DMARC.


Fig: Email header showing the (legitimate) domain of the sender and the email title

Although the email looked a lot like a legitimate Amazon email, none of the links within the email pointed to a credential phishing page (or anything else seemingly suspicious). The screenshot below shows one of the call to action buttons redirecting to an image of the button itself. Since there were no links (zero-day or otherwise) in the email, it successfully got past any filters and analysis engines that could block bad links.


Fig: All links in the email pointed to images or dead ends

3. Full vishing flow

Adversaries set up a phone line to follow through on this attack. The Armorblox research team called the number listed for the ‘Fraud Protection Team’ from a disposable Google Voice number. A real person answered the call and pretended to be from the Amazon fraud protection team. They asked for the order number, name, and credit card details before cutting our call and blocking our number. The full vishing flow might well have involved the extraction of other sensitive personal information as well.


Fig: Email footer showing a phone number for the ‘Fraud Protection Team’

4. Socially engineered

Unlike spray-and-pray email fraud attempts, this email was expressly created and sent to trigger the required response. The email sender name was ‘No Reply Amazon Com’’, which is a lazy impersonation of an Amazon automated email but still ‘genuine’ enough to pass our subconscious eye tests. The email look and language did an effective job impersonating Amazon. The fake order in question was over $6,000, furthering the sense of urgency to follow through on the email. The call to action - phoning the fraud protection team - is clearly communicated. Since none of the other links work, this call to action is the only one victims can take after reading the email.

How Armorblox Detected The Attack

Armorblox was able to detect the email attack based on the following insights:

1. Language, intent, and tone

Armorblox language models have been trained on tons of data and further customized to suit every customer environment. These models analyzed the email body and detected that it was not a marketing email even though it was formatted like one and claimed to come from Amazon.

2. Low communication history

Armorblox detected that the sender email in question had a low communication history with the victim’s email account. While not a violation in itself, this insight is critical when compared with other unusual signals and can catch highly targeted attacks.

3. Brand impersonation

Armorblox brand impersonation detectors flagged that the sender name and email seemed to link to Amazon, but the parent domain name of the sender was Gmail.

Based on the insights above, along with many other detection signals, Armorblox flagged the email as a social engineering threat. Based on predetermined remediation actions for the ‘social engineering’ detection category, this email could have been automatically deleted or placed in a quarantine folder.

Stay tuned for more Blox Tales! If you’re interested to see Armorblox in action, schedule a demo with one of our email security experts below.

Schedule Demo

Read This Next