Phishing Attack Exploits Compromised Email to Impersonate Amazon and Steal Sensitive Information
In this phishing attack, cybercriminals use a compromised email address to impersonate Amazon and send the target a notification regarding their Amazon Prime account. The email claims there is an issue with the payment method associated with the recipient’s Amazon Prime membership and urges them to update their payment information to prevent interruption of their Prime benefits. The email includes a link that purportedly directs the recipient to update their information but instead leads to a phishing site designed to steal sensitive information. To enhance the appearance of authenticity, the message uses professional language and Amazon branding. By leveraging the trusted name of Amazon and the urgency of potential service interruption, the attacker hopes to manipulate the recipient into providing sensitive information without scrutinizing the email’s legitimacy.
Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a compromised email address, employs sophisticated social engineering techniques, and lacks malicious attachments. Modern, AI-powered email security solutions recognize that the sender is unknown to the recipient, detect suspicious links in the message, and recognize the inconsistency between the sender domain and display name to correctly flag this email as an attack.
Malicious phishing email sent from a compromised account in which attacker pretends to be Amazon
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Compromised Email Address: The attacker compromises a legitimate email address, bypassing basic email verification checks and adding perceived authenticity.
- Social Engineering Tactic: The email claims that the payment method for the recipient's Amazon Prime membership is no longer valid, creating a sense of urgency and prompting immediate action.
- Absence of Malicious Attachments: By not including suspicious attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
- Suspicious Link Analysis: The presence of a link that leads to a suspicious domain "http://lnkiy[.]in" is scrutinized by Abnormal’s systems, triggering deeper analysis for possible malicious intent.
- Sender Name and Domain Mismatch: The sender name (Amazon Prime) does not match the domain, raising further suspicion during Abnormal’s analysis.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.