“Gimme just a little bit (more)
Little bit of (excess)
Oh, me, oh, my
I don't wanna hear "No, no"
Only want a "Yes, yes"
Oh, me, oh, my”
- ‘XS’ by Rina Sawayama
On June 21 and 22, Amazon will celebrate Prime Day by systematically shoving a discount-infused syringe into the arms of consumers that want more (we don’t know why, we just know we do). Some of the busiest shopping days of the year also end up being the most lucrative for cybercriminals, however.
Research shows that last August and September heralded the largest spike in phishing and fraudulent sites created using the Amazon brand. Earlier this year, the Better Business Bureau put out an alert warning shoppers against phony Amazon phone calls that phished for their information. This article will lay out the traits that make Prime Day scams successful, highlight specific scams that readers should keep an eye out for, and share some simple tips to stay digitally safe this Prime Day.
Why Prime Day Scams Are Successful
- ‘Tis the season of social engineering: Many legitimate sales and offers during Prime Day leverage the ‘hyperbolic discounting’ effect by offering products on discounts that are almost too good to be true. Scammers exploit this same cognitive bias by sending email announcements that are actually too good to be true (i.e. they are scams).
- Overcrowded inboxes and System 1 thinking: Prime Day season is when our inboxes are even more crowded than usual. It’s easier for attackers to hide their phishing emails by impersonating brands that we’d get emails from during this time. When our brains have too much to do, they engage in System 1 thinking and take the fast decision, even though it may not always be the right one.
- Weaponized workflows: Online shopping involves multiple workflows that are almost entirely over email. Attackers fit into the context of these workflows through spoofing and other advanced techniques to try and pull discounted wool over our eyes. Some examples of these workflows are emails announcing Amazon sales, emails sharing order receipts, emails from shipping companies sharing order tracking information, and emails claiming your shopping accounts have been locked.
Keep an Eye Out for These Scams
The Armorblox threat research team has observed and written about a range of email scams that either directly call back to Prime Day or hover around its edges. As you fill up your digital shopping carts, make sure you check your orders are real before clicking ‘Checkout’. Here are some specific scams to watch out for:
Scams Phishing for Amazon Credentials
Last year, we spotted an email impersonating an Amazon notification claiming that the victim’s payment method had failed. The email included a link for victims to update their account information or risk losing their Amazon order. The link led to a lookalike site that asked not just for the victim’s account credentials, but also their billing and shipping addresses.
Recap of attack techniques:
- The email got past authentication checks by using a legitimate email account of a compromised vendor (a floral design company based out of Vermont).
- The attack used a 0-day phishing site that was created a few days before the email was sent out. No threat feeds or filters immediately blocked this site.
- The email was socially engineered to induce fear and urgency among victims (update your account within 3 days or lose your order).
- The email and phishing site impersonated the Amazon brand.
Fig: Email impersonating a failed Amazon payment notification
Vishing Scams Spoofing Amazon Billing and Support
Earlier this year, we observed multiple vishing scams impersonate Amazon to try and steal victims’ PII and credit card information. The emails sent fake order receipts and including phone numbers to call for processing order returns.
Recap of attack techniques:
- Both vishing emails are replete with Amazon branding and follow a structure similar to real order confirmation emails from Amazon.
- Both emails didn’t include any links or other conventional calls to action, which enabled them to bypass any detection controls that block known bad links.
- The context for both email attacks replicates workflows that already exist in our daily lives (ordering things online).
- One of the vishing emails was sent from a Gmail address, allowing it to successfully pass email authentication checks.
Fig: Email impersonating Amazon and including a phone number to call
Our team also wrote about an Amazon vishing attack in 2020 that followed most of the same techniques.
Scams Impersonating Shipping Companies
What’s the next step after you ordered that Kirby-themed Nintendo Switch? Why, for some shipping company to fulfill the order and send it to your door, of course. This is another common shopping-related workflow that scammers exploit, especially during Prime Day.
A few months ago, we observed two phishing campaigns impersonate FedEx and DHL Express to steal victims’ work email credentials.
Recap of attack techniques:
- Once again, scammers hijacked our familiarity with these email workflows. Emails informing us of missed FedEx or DHL deliveries are not out of the ordinary; most users will tend to take quick action on these emails instead of studying them in detail for any inconsistencies.
- The landing page for the FedEx email was hosted on Quip, which is an additive tool for Salesforce that offers documents, spreadsheets, slides, and chat services. Since this is legitimate software, email security filters assumed the link was also legitimate.
- The emails employed redirects to obfuscate their attack flow. The FedEx attack flow has two redirects, and the DHL attack includes an HTML attachment rather than a URL for its phishing goals.
Fig: Summary of the FedEx phishing scam showing the attack flow
Scams Selling Fake Goods
Last Thanksgiving, we found a Black Friday focused scam that impersonated Ray-Ban to sell victims counterfeit goods. This was not a phishing attempt - the website had fully functioning search, e-commerce, and inventory. However, while the real Ray-Ban site had these products at full price, the fake site had 85-90% discounts across the board.
Fig: The fake website sells counterfeit Ray-Ban inventory at ~80-90% discount
In a way, the website is providing what the initial email promised - sunglasses at 85% off. But while victims might think they’re getting the deal of the century, the sunglasses they end up receiving will probably break apart after a couple of months. Or weeks. Or days…
Quick Tips for a Safe Prime Day
- As much as possible, give emails an eye test and a gut check. Check the sender name, address, and email context for legitimacy. Hover over suspicious links to see where they’re pointing. Does the email sound too good to be true? It probably is, even during Prime Day.
- Be wary of sharing sensitive information over the phone when you’re speaking with a customer support or billing representative. If you think the phone call is suspicious, immediately hang up and don’t fall back upon politeness.
- Ensure you have multi-factor authentication (MFA) set up on as many business and personal accounts as possible.
- Never reuse passwords across accounts. Use a password manager like LastPass or 1password to store and manage passwords.
- Avoid using passwords that tie into your publicly available information (date of birth, anniversary date etc.). Needless to say, don’t use generic passwords like ‘YourName123’, ‘password123’, and so on.
- Maybe shop for what you need and not what you want? Haha, just kidding! You deserve those gold-plated AirPods - it’s been a tough year, and it’s Prime Day.
“More, just to be sure
I got what I wanted, so naturally I want more
What I paid for, entertain me now
All I want is more, 'cause I like it”
-‘More’ by Poets of the Fall