Phishers Pose as Amazon and Use Fraudulent Payment Alert to Steal Sensitive Information
In this phishing attack, a threat actor impersonates Amazon and emails the target claiming there is an issue with the payment method associated with their Amazon Prime membership. To increase the appearance of legitimacy, the attacker uses a spoofed email address and sets the display name as “Prime Support”. They also incorporate mimicked Amazon branding into the body of the email. The message informs the recipient that their Prime membership is set to renew that day, but the payment method on file is invalid, and they are instructed to update their default payment method using the provided link. However, should the target click on the button labeled “Update Information”, they will be redirected to a Google Drawings page, deceptively crafted by the attacker to resemble an official Amazon message. This page has another button, labeled “Continue Verification”, which redirects the user to a second page containing a QR code. If the target scanned the QR code, they would likely be redirected to a third page designed to harvest sensitive data, such as login credentials or payment information.
Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a spoofed email address, uses legitimate links inside the message, and contains no attachments. Modern AI-powered email security solutions detect suspicious links in the email, identify that the sender name and domain do not match, and recognize that the message contains language commonly used in financial theft attempts to correctly flag this email as an attack.
Google Drawings page crafted to appear as additional verification step
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The attacker spoofs a legitimate-sounding email address, bypassing basic email verification checks and adding perceived authenticity.
- Legitimate Links Included: The email includes links associated with recognizable domains, which can pass through basic link verification checks due to their legitimate structure.
- Lack of Attachments: By not including any attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.
- Sender Name and Domain Mismatch: The sender name does not match the sender domain, raising further suspicion during Abnormal’s analysis.
- Financial Theft Language: The subject line contains language that may be attempting to steal money, a common tactic identified by Abnormal’s content analysis and NLP algorithms to detect potential financial fraud.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.