Amazon Prime Day: How Online Shoppers Can Stay Safe

Amazon Prime Day is a highly anticipated shopping extravaganza that brings joy and excitement to countless shoppers worldwide. With its incredible deals and exclusive offers, it has become a festive occasion for those seeking great bargains. 

The Amazon Prime Day which this year falls on 11^th and 12^th of July, grew in volume to new peaks in 2022, according to Amazon , as  Prime members in the U.S. purchased more than 60,000 items per minute during the 2022 event, with  global  members purchasing more than 300 million items worldwide during Prime Day 2022. 

However, amidst the excitement, there is an underlying risk that cannot be ignored. Cybercriminals leverage this occasion to carry out phishing attacks, preying on unsuspecting shoppers. These attackers employ deceptive tactics, such as sending fake emails or creating fraudulent websites, aiming to steal personal information or financial credentials. While Prime Day offers incredible savings, it is crucial for shoppers to remain vigilant, exercise caution while clicking on links or providing sensitive information, and ensure they are navigating legitimate platforms.  

Alarming findings on domain registration and phishing attacks

This year, Check Point Research (CPR) found 16 times more malicious Amazon prime related phishing attacks during the month of June compared to May, and the overall increase in all Amazon related phishing was 8%. During this period, there were almost 1,500 new domains related to the term “Amazon” of which 92% were found to be risky – either malicious or suspicious.

1 out of every 68 “Amazon” related new domains, was also related to “Amazon Prime”. About 93% of those domains were found to be risky.

How Phishing Works

The basic element of a phishing attack is a message, sent by email, social media, or other electronic communication means.

A phisher may use public resources, especially social networks, to collect background information about the personal and work experience of their victim. These sources are used to gather information such as the potential victim’s name, job title, and email address, as well as interests and activities. The phisher can then use this information to create a reliable fake message.

Typically, the emails the victim receives appear to come from a known contact or organization. Attacks are carried out through malicious attachments or links to malicious websites. Attackers often set up fake websites, which appear to be owned by a trusted entity like the victim’s bank, workplace, or university. Via these websites, attackers attempt to collect private information like usernames and passwords, or payment information.

Some phishing emails can be identified due to poor copywriting and improper use of fonts, logos, and layouts. However, many cybercriminals are becoming more sophisticated at creating authentic-looking messages, and are using professional marketing techniques to test and improve the effectiveness of their emails.

Prime Credit Card Theft Example:

Below is an example of a phishing mail that seems like it was sent from “Amazon<.>co<.>uk”. The attacker was trying to lure the victim to click on a malicious link, which redirects the user to http://www<.>betoncire<.>es/updating/32080592480922000 – The link is currently inactive. 

Subject: Your Prime Membership: Payment declined: Payment method has been declined, please update your payment method so that your order is not canceled and your account is not suspended. 

From: Amazon.co.uk (prime-update<.>74715579-59050019<.>24219850@amazon<.>co<.>uk) 

Credentials Theft Example:

CPR noticed a malicious phishing email that was allegedly sent by Amazon and which was trying to steal users’ credit information. The email which was sent from the spoofed address Amazon (amazon@blackoutthelimit<.>com) contained socially engineered subject which could pressure the victim into clicking on the malicious link http://kolives<.>com/profile/

The website redirected the user to a fraudulent Amazon payment page that looks like the real site with minor changes (For example “Cvv” instead of “CVV”).In the malicious link, the user needed to enter credit information. The link is currently inactive. 

Subject: Account locked

From: Amazon (amazon@blackoutthelimit<.>com)

Account Theft Example:

In this phishing mail, there is an attempt to steal a user’s Amazon Prime account information. The email seems like it was sent from “Amazon.co.jp”, but from looking at  the email address it is clearly understood that it is phishing  (changeid@sfsbupah<.>com). Also, at the bottom of the email, it is written Arnazon instead of Amazon.

The attacker was trying to lure the victim to click on a malicious link, which redirects the user to a fraudulent Amazon login page. In the malicious link https://sftvrepair<.>com the user needed to enter their username and their password.