Cross Site phishing for Amazon

Following the expected trend of scams after the Cyber Monday, various big names in the retail industry are being now advertised in phishing attacks.

One of the most interesting of these is a phishing addressing customers of Amazon.

I am omitting on purpose the domain of Amazon, so read on if you want to see why.

The subject of the email is “We have recently determined that various computers connect to your Amazon account”.

Written in a language which made us read the text a couple of times, it is pretty clear that the text must have been translated using some automatic means or was written by people with a poor knowledge of the English language.

The fraudsters are trying to use a security feature available in Facebook’s, Google’s and probably other websites, but not in Amazon’s websites. It gives the possibility to check the active and inactive sessions of the account. In other words, it checks how many times is the user logged on in multiple browsers.

The interesting fact is the way the website behind this fraud is made.

When the user clicks on the link in the email, he is redirected to a standard login page of Amazon.co.uk. Notice the red circle I made around the brand on the top left corner.

If the email address entered is too long, the user gets an error immediately.

Analyzing the source of the page, shows this:

 

Of course that such a comment can be faked, but a simple cross check with the original site shows that the code is actually very similar.

If it is relative short, then the following page is displayed:

Notice the red circle I made around the brand on the top left corner.

Analyzing the source of the page, shows this:

 

The phishing started on Amazon.co.uk and ended on Amazon.com.

So, it appears that the fraudsters forgot where they started and which Amazon site they were phishing.

Or maybe they were just wanted to make some fun of their victims.

 

Sorin Mustaca

IT Security Expert