Amazon Prime Day: Primetime for Cybercriminals

It is no secret that cybercriminals love to spoof the world’s top internet brands. And it is not surprising that given Amazon’s size and reach that it commonly makes it into the list of top 10 most exploited and phished brands. For the mass market phishers, mass market brands can really increase the probability of getting engagement.  Who doesn’t know of or do business with Amazon these days? What does the attacker get from this engagement? That’s easy: a direct path to money. In many cases, cybercriminals are just looking for login credentials for the spoofed brand. It is reported that Amazon login credentials yield about $30 each on the dark market. Get a few thousand of those as the result of a phishing campaign and you are talking real money.

Cybercriminals also have a long history of leveraging holidays, global events, pandemics, as well as major company promotions to goose their money-making schemes. They love to glide in the slipstream that others create. The recent Amazon Prime Day on October 13 and 14 of this year proved to be a phishing opportunity that could not be passed up. In fact, in the two-week period leading up to Prime Day, Mimecast discovered 197 live web pages that were simulating Amazon.com. Below I will provide some examples of these sites and what about them appears to be suspicious.

In Figure 1 below, note the URL with the domain “U1k.cc” and the subdomain “user-amazon.” The “.cc” TLD is for Cocos (Keeling) Islands, an Australian territory of about 600 inhabitants. I wonder if Amazon delivers there? Or perhaps they have a warehouse located on the island? Unlikely. The actual phishing site, in Figure 2, is obviously targeted at a Japanese audience, given the writing.

Figure 1 – Example of an Amazon simulating web page

Figure 2 – A fake Amazon login page targeted at a Japanese audience

But note the registrar is China-based Alibaba cloud computing.  And note the timing of the registration was right in time for Prime Day. All highly suspicious factors that this is not an Amazon authorized site.

Figure 3 – Whois information for u1K.cc domain

Fortunately, some, but not all, security engines recognized this site at the time as being malicious. For details current as of this writing, please see Figure 4, which is a snap from VIRUSTOTAL for this site.

Figure 4 – VIRUSTOTAL results for the suspect Amazon Japan web site

Of course, Amazon is very global and so are the cybercriminals. Thus, would it surprise you that a version of this scam is focused on Italians as well? In this version it is very clear the attacker is attempting to leverage Prime Day. They even put “prime” into their domain registration!

Figure 5 – Prime Day in Italy?

Clearly, this site is quite different from the legitimate Amazon.it page, shown in Figure 6.

Figure 6 – Amazon’s legitimate Amazon.it web page

Unfortunately, no engines in VIRUSTOTAL, as of this writing, had yet to flag this site as malicious, as seen below in Figure 7.

Figure 7 – VIRUSTOTAL results for amazonprime-italia/amazon/

In fact, the site remains live and ready for action. And is hosted, as is quite common, by Wordpress. Overall, quite a clumsy site, but no one ever said every phisher is fancy. Note they didn’t even bother to get a certificate for the site. Most sophisticated attackers typically get a site certificate for their fraud site as many people have been trained to look for the lock as a sign of legitimacy (which it isn't).

Figure 8 – The live amazonprime-italia.it/amazon site

And finally “amazon-prime.online”.  There is currently nothing on the page other than a bunch of HTML and JavaScript. Perhaps it is parked for a future credential stealing or malware dropping use?

Figure 9 – Amazon-prime.online URL

And only one engine in VIRUSTOTAL has flagged this URL as malicious.

Figure 10 – VIRUSTOTAL results for Amazon-prime.online

I would like to tell you that these types of attacks are uncommon, but I can’t. One common misperception is that these sorts of campaigns are exclusively focused on global internet brands such as Amazon. That also isn’t true. If your organization has a website, particularly one with a login, has customers and partners, and produces or sells something of value, you are very likely in the sights of these types of cybercriminals. In fact, even the Mimecast brand is periodically targeted with these sorts of attacks. Fortunately, we drink our own “champagne” and thus our brand is generally well protected using our Brand Exploit Protect, Secure Email Gateway, DMARC Analyzer and Web Security services.