Shoppers eying up bargains as Amazon kicks off its Prime Day 2019 sales push have been warned they could become victims of a phishing scam.
According to a blog post by security researchers Oliver Devane and Rafael Pena of McAfee Labs, a phishing attack has been aiming at Amazon users since May 2019. Dubbed 16Shop, the malware has been previously used against Apple users.
In a typical attack, victims receive an email with a pdf file attached. When the victims click on the link in the attached pdf file, they are redirected to a phishing site where they will then be tricked in to updating their account information, which often includes credit card details.
Around the same time, researchers discovered the Amazon Phishing Kit, the social media profile picture of the actors they believed are behind 16shop changed to a modified Amazon logo.
"This reinforces our findings that the same group is responsible for the development of the new malicious kit," said researchers.
Researchers observed over 200 Malicious URLs serving this phishing kit which highlights its widespread use (all URLs seen have been classified as malicious by McAfee).
"The group responsible for 16shop kit continues to develop and evolve the kit to target a larger audience. To protect themselves, users need to be extremely vigilant when receiving unsolicited email and messages," researchers added.
"This demonstrates how malicious actors use legitimate companies to leverage their attacks and gain victims’ trust and it is expected that these kinds of groups will use other companies as bait in the future."
Mollie MacDougall, threat intelligence manager at Cofense, told SC Media UK that phishing kits and credential phish have been steadily increasing in popularity because once they have the scripts, all a threat actor really needs is a place to host them and a delivery mechanism, such as a phish.
"The use of free trial hosting sites gives threat actors temporary infrastructure quickly," she said. "Taking down credential phishing pages is truly like whack-a-mole – when a page gets taken down, another pops up elsewhere. The hosting services that offer free trial memberships are often slow to react and only do so when alerted. These services are generally not proactively watching each free trial for malicious activity."
Corin Imai, senior security advisor at DomainTools, told SC Media UK that Apple, Amazon and Netflix – not to mention Office 365 - are among the favourite entities for phishers to impersonate because of their extensive customer base.
"These indiscriminate attacks cast the widest possible net of potential victims, with the certainty that at least a few will fall for one of the oldest tricks in the book: an infected attachment that when opened redirects to a credential stealing webpage," she said.
"Once again, this is a demonstration of how essential it is to take cybersecurity education seriously, not only by organisations, but even schools and educational institutions, which should be contributing to the creation of a risk-aware culture, much needed given the current threat landscape."
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout