New Amazon Phishing Campaign Targets Holiday Shoppers

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

A new phishing campaign that leverages interest in holiday shopping to steal personal and bank account information has hit thousands of consumers worldwide, International Business Times reports.

According to a Get Safe Online report on the scam, the malicious emails claim that the recipient's Amazon order can't be shipped until "certain information" is confirmed via a link in the email.

Victims who click on the link are taken to a fake website requesting their personal information.

"Once the details have been entered and the 'Save & Continue' button clicked, you will automatically be redirected to the Amazon site, oblivious that you have been defrauded, your identity stolen, or both," the report states.

Mimecast cybersecurity strategist Matthew Gardiner told eSecurity Planet by email that it's no surprise to see cyber criminals leveraging the Amazon brand during the holiday shopping season. "However, this appears to be a pretty old school, amateurish broad scope phishing attack that is both very spammy and untargeted," he said. "In this case, the attackers are looking to harvest credit card numbers so that they can sell them or use them directly for card not present/online purchases."

"The cost associated with executing phishing campaigns is very low, and offers a relatively high-probability rate that at least some of the folks targeted will fall into the trap," Gardiner added. "Even simplistic campaigns such as this are likely still quite profitable for attackers."

In fact, Verizon's 2016 Data Breach Investigations Report found that fully 30 percent of phishing emails were opened in 2016, up from 23 percent in 2015 -- and 13 percent of those who viewed the emails clicked to open the included attachment or malicious link.

According to the latest Webroot Quarterly Threat Trends Update, 84 percent of phishing sites exist for less than 24 hours, with an average lifecycle of less than 15 hours. Some sites last for as little as 15 minutes.

"In years past, these sites could endure for several weeks or months, giving organizations plenty of time to block the method of attack and prevent more victims from falling prey," Webroot CTO Hal Lonas said in a statement. "Now, phishing sites appear and disappear in the span of a coffee break, leaving every organization, no matter its size, at an immediate and serious risk from phishing attacks."

An average of more than 400,000 phishing sites were observed each month in 2016, with more than 13,000 new phishing sites per day.

"Strengthening an organization's anti-phishing strategy means moving beyond old techniques that use static phishing domain or URL lists to highly automated technologies based on sophisticated machine learning methods," the report states.