A new multistage phishing campaign spoofs Amazon's order notification page and includes a phony customer service voice number where the attackers request the victim's credit card details to correct the errant "order."
The campaign, highlighted in new research from Avanan on Thursday, underscores how phishing attacks are growing in sophistication by using a combination of email and voice lures and leveraging popular brands such as Amazon to scam potential victims.
Gil Friedrich, CEO at Avanan, now owned by CheckPoint, says that starting in October, Avanan observed a new attack in which the attacker spoofed a typical Amazon order notification page.
The attack works like this: The victim receives an email showing their supposed Amazon order that totals more than $300. The victim, realizing they didn't place the order, clicks on a link in the email, which takes them to the actual Amazon website. A customer service number in the phishing email, which has an area code from South Carolina, doesn't answer when they try to call.
After a few hours, the attackers call back – from India – and the phony customer service rep tells the victim they need to give their credit card and CVV number in order to cancel the invoice.
“This results not only in monetary gain for the hackers, but serves as a form of phone number harvesting for the attackers, allowing them to carry out further attacks over the next several weeks via voicemail or text messaging,” Friedrich explains.
In another clever brand impersonation scam, reported by Armorblox today, a credential phishing attack impersonated Proofpoint and tried to steal the Microsoft and Google email credentials of potential victims. The email claimed to contain a secure file sent by Proofpoint as a link, but once the victim clicked, it took them to a splash page that spoofed Proofpoint branding and included dedicated log-in page spoofs for Microsoft and Google.
Armorblox researchers say the whole aim of the scam was to play off a trusted security brand like Proofpoint and well-known brands such as Microsoft and Google. While slightly different, it demonstrates how clever attackers have become and how they prey on people's trust in well-known brands.
In the Amazon case, the benefit of this type of multistage phishing attack is that the attacker is far more likely to succeed when the potential victim calls, notes Roger Grimes, data-driven defense evangelist at KnowBe4. The email takes almost no effort to set up and send – with zero risk, he adds. The same holds true for all phishing emails and attacks, he says.
"But here the difference is that when someone goes out of their way to call the phisher, the phisher knows they have a high likelihood of conversion on that potential victim," Grimes says. "The victim has already mentally bought into the scam. The victim, if they ever had any skepticism, is further convinced the scam is real because the pretend brand entity is now working across multiple mediums. The victim probably cannot believe that a scammer would go through the trouble of having real phone numbers and live people who answer them, not knowing that phishing scams often do."
Another popular version of this type of scam is an email pretending to be from the victim's local power company. The email claims the victim's payment to the power company was declined and that their power will soon get cut off. The victim is instructioned to go to the local store and purchase money vouchers to pay.
"You might ask yourself, 'Who could possibly believe that their power company is asking them to pay by money vouchers?'" Grimes says. "In my anecdotal experience, about 10% of victims."
Along with strong security awareness programs that have proved to reduce the risk of employees clicking on bad links or calling fraudulent phone numbers, here are some other tips Avanan recommends to prevent these type of scams:
- Encourage end users to look at the sender address of the email. In the Amazon case, the sender’s address was a Gmail account, not from Amazon.
- Encourage end users to check their Amazon accounts. If they truly made the order, then it should appear on the “Returns & Orders” section of their account.
- Do not put major companies on allow lists, as those companies tend to be among the most impersonated. Check Point Research found that Amazon is the second-most impersonated brand behind Microsoft.
- Encourage users not to call unfamiliar numbers. As with other online scams, check the account you have with the corporate site before making any calls.
- Implement a multitiered security architecture that relies on more than one factor to block email.