Researchers have unearthed a sneaky new cyber-attack that spoofs American multinational technology company Amazon to steal victims’ financial credentials.
The digital deception, which combines brand impersonation with social engineering, was discovered by software firm Avanan, a Check Point Company based in New York.
Today, Avanan shared details about the attack on its blog. The scam is a two-part affair that begins with an email. It was first observed in October 2021.
The perpetrators of the attack use legitimate Amazon links to force the end-user to make a phone call and give out their financial details.
“In this attack, hackers are spoofing an Amazon order notification page,” wrote researchers.
Victims receive what looks like a typical Amazon order confirmation email containing links that all direct the user to the legitimate Amazon site.
“When trying to call the number listed, which is not an Amazon number, the scam begins, with the end goal of obtaining credit card information,” noted researchers.
Though the number listed on the email has an area code from South Carolina, it is not an Amazon number. Victims who dial will not receive an answer. However, a few hours later, they will get a call back from attackers based in India.
To incite the victims to make the call to Amazon, the attackers include high-price items on the fictitious emailed invoice.
Details gathered under the scam could be used by the attackers to carry out other criminal activity.
Researchers noted that this method of stealing financial details “results not only in monetary gain for the hackers but serves as a form of phone number harvesting, enabling them to carry out further attacks by voicemail or text message.”
While the attackers “do a good job of spoofing an actual Amazon order,” eagle-eyed recipients of the malicious Amazon Service Alert email used in the attack will notice that it has been sent from a Gmail address.
Researchers said: “This attack bypasses traditional email security scanners in large part due to the existence of legit links. When doing a check against an Allow List, this email passes.”