Cybercriminals took advantage of this year’s Amazon Prime Day to rev up credential harvesting, phishing attacks and brand impersonation. Is this a precursor to the upcoming holiday shopping season? 

It is no secret that cybercriminals love to spoof the world’s top internet brands. And it is not surprising that given Amazon’s size and reach that it commonly makes it into the list of top 10 most exploited and phished brands. For the mass market phishers, mass market brands can really increase the probability of getting engagement.  Who doesn’t know of or do business with Amazon these days? What does the attacker get from this engagement? That’s easy: a direct path to money. In many cases, cybercriminals are just looking for login credentials for the spoofed brand. It is reported that Amazon login credentials yield about $30 each on the dark market. Get a few thousand of those as the result of a phishing campaign and you are talking real money.

Cybercriminals also have a long history of leveraging holidays, global events, pandemics, as well as major company promotions to goose their money-making schemes. They love to glide in the slipstream that others create. The recent Amazon Prime Day on October 13 and 14 of this year proved to be a phishing opportunity that could not be passed up. In fact, in the two-week period leading up to Prime Day, Mimecast discovered 197 live web pages that were simulating Amazon.com. Below I will provide some examples of these sites and what about them appears to be suspicious.

In Figure 1 below, note the URL with the domain “U1k.cc” and the subdomain “user-amazon.” The “.cc” TLD is for Cocos (Keeling) Islands, an Australian territory of about 600 inhabitants. I wonder if Amazon delivers there? Or perhaps they have a warehouse located on the island? Unlikely. The actual phishing site, in Figure 2, is obviously targeted at a Japanese audience, given the writing.

fig 1 fake amazon url.png

Figure 1 – Example of an Amazon simulating web page

fake Japanese Amazon Login.png

Figure 2 – A fake Amazon login page targeted at a Japanese audience

But note the registrar is China-based Alibaba cloud computing.  And note the timing of the registration was right in time for Prime Day. All highly suspicious factors that this is not an Amazon authorized site.

fig 3 whois.png

Figure 3 – Whois information for u1K.cc domain

Fortunately, some, but not all, security engines recognized this site at the time as being malicious. For details current as of this writing, please see Figure 4, which is a snap from VIRUSTOTAL for this site.

fig 4 virustotal sc.png

Figure 4 – VIRUSTOTAL results for the suspect Amazon Japan web site

Of course, Amazon is very global and so are the cybercriminals. Thus, would it surprise you that a version of this scam is focused on Italians as well? In this version it is very clear the attacker is attempting to leverage Prime Day. They even put “prime” into their domain registration!

fig 5 fake italy amazon url.png

Figure 5 – Prime Day in Italy?

Clearly, this site is quite different from the legitimate Amazon.it page, shown in Figure 6.

Fig 6 Italy Amazon.png

Figure 6 – Amazon’s legitimate Amazon.it web page

Unfortunately, no engines in VIRUSTOTAL, as of this writing, had yet to flag this site as malicious, as seen below in Figure 7.

fig 7.png

Figure 7 – VIRUSTOTAL results for amazonprime-italia/amazon/

In fact, the site remains live and ready for action. And is hosted, as is quite common, by Wordpress. Overall, quite a clumsy site, but no one ever said every phisher is fancy. Note they didn’t even bother to get a certificate for the site. Most sophisticated attackers typically get a site certificate for their fraud site as many people have been trained to look for the lock as a sign of legitimacy (which it isn't).

fig 8 live amazin.it fake.png

Figure 8 – The live amazonprime-italia.it/amazon site

And finally “amazon-prime.online”.  There is currently nothing on the page other than a bunch of HTML and JavaScript. Perhaps it is parked for a future credential stealing or malware dropping use?

fig 9 fake amazon url.png

Figure 9 – Amazon-prime.online URL

And only one engine in VIRUSTOTAL has flagged this URL as malicious.

Fig 10  VIRUSTOTAL results for Amazon-prime.online.png

Figure 10 – VIRUSTOTAL results for Amazon-prime.online

I would like to tell you that these types of attacks are uncommon, but I can’t. One common misperception is that these sorts of campaigns are exclusively focused on global internet brands such as Amazon. That also isn’t true. If your organization has a website, particularly one with a login, has customers and partners, and produces or sells something of value, you are very likely in the sights of these types of cybercriminals. In fact, even the Mimecast brand is periodically targeted with these sorts of attacks. Fortunately, we drink our own “champagne” and thus our brand is generally well protected using our Brand Exploit Protect, Secure Email Gateway, DMARC Analyzer and Web Security services.

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

You may also like:

It’s Marketing’s Job to Keep Brand-Loyal Customers Safe Online

Marketers' brand safety strategies shoul…

Marketers' brand safety strategies should expand to embrace … Read More >

Alex Bender

by Alex Bender

Senior Vice President of Global Marketing

Posted Oct 07, 2020

BIMI May Boost Brand Safety—and Email Open Rates

Emerging standard specification ties bra…

Emerging standard specification ties brand logos to legitima… Read More >

Debra Donston-Miller

by Debra Donston-Miller

Contributing Writer

Posted Sep 11, 2020

AI vs. AI: Now, AI is Required for Your Business’ Cyber Resilience

Cybercriminals are using AI to boost ran…

Cybercriminals are using AI to boost ransomware, email phish… Read More >

Stephanie Overby

by Stephanie Overby

Contributing Writer

Posted Oct 14, 2020