Blox Tales #9: Amazon Vishing (Voice Phishing) Attack


Each Blox Tale will take a look at a targeted email attack, outline why it made its way into an inbox, and highlight how Armorblox was able to detect the attack. In this blog, we’ll focus on a vishing (voice phishing) attempt where attackers sent an email resembling an Amazon delivery order. The email included a phone number for the ‘Fraud Protection Team’ to call in case the order was fraudulent. Making the call was met with a real person on the other end who went through a vishing flow aimed at extracting as much information from the victim as possible.
The Attack
A few days ago, we saw a vishing attempt to land in multiple customer inboxes. This email came from a Gmail account but impersonated Amazon, informing readers that their Amazon order had shipped. The email included a number for the ‘Fraud Protection Team’ that readers could call if they had any questions about the order. Making the call was met with a real person on the other end of the line who impersonated the Amazon fraud protection team and went through a vishing flow aimed at extracting personal information from victims.
A screenshot of the email is given below:
Why The Attack Got Through
This email got past existing email security controls because it didn’t follow the tenets of more traditional phishing attacks.
1. Got past email authentication checks
Although the sender name - No Reply Amazon Com - was impersonated, the email was sent from a personal Gmail account. This resulted in the email successfully passing all authentication checks such as SPF, DKIM, and DMARC.
2. No phishing links
Although the email looked a lot like a legitimate Amazon email, none of the links within the email pointed to a credential phishing page (or anything else seemingly suspicious). The screenshot below shows one of the call to action buttons redirecting to an image of the button itself. Since there were no links (zero-day or otherwise) in the email, it successfully got past any filters and analysis engines that could block bad links.
3. Full vishing flow
Adversaries set up a phone line to follow through on this attack. The Armorblox research team called the number listed for the ‘Fraud Protection Team’ from a disposable Google Voice number. A real person answered the call and pretended to be from the Amazon fraud protection team. They asked for the order number, name, and credit card details before cutting our call and blocking our number. The full vishing flow might well have involved the extraction of other sensitive personal information as well.
4. Socially engineered
Unlike spray-and-pray email fraud attempts, this email was expressly created and sent to trigger the required response. The email sender name was ‘No Reply Amazon Com’’, which is a lazy impersonation of an Amazon automated email but still ‘genuine’ enough to pass our subconscious eye tests. The email look and language did an effective job impersonating Amazon. The fake order in question was over $6,000, furthering the sense of urgency to follow through on the email. The call to action - phoning the fraud protection team - is clearly communicated. Since none of the other links work, this call to action is the only one victims can take after reading the email.
How Armorblox Detected The Attack
Armorblox was able to detect the email attack based on the following insights:
1. Language, intent, and tone
Armorblox language models have been trained on tons of data and further customized to suit every customer environment. These models analyzed the email body and detected that it was not a marketing email even though it was formatted like one and claimed to come from Amazon.
2. Low communication history
Armorblox detected that the sender email in question had a low communication history with the victim’s email account. While not a violation in itself, this insight is critical when compared with other unusual signals and can catch highly targeted attacks.
3. Brand impersonation
Armorblox brand impersonation detectors flagged that the sender name and email seemed to link to Amazon, but the parent domain name of the sender was Gmail.
Based on the insights above, along with many other detection signals, Armorblox flagged the email as a social engineering threat. Based on predetermined remediation actions for the ‘social engineering’ detection category, this email could have been automatically deleted or placed in a quarantine folder.