Phishing attacks are typically looking for one thing, email addresses. Once an account is compromised, the attacker has full access to the victim's contacts.
Frequent attacks against Yahoo! and a massive attack against AOL, along with ongoing attacks against individual consumers, has placed A LOT of email addresses in the wrong hands. Do you have a friend who still has an AOL or Yahoo! account? The bad guys probably have your email address too, even if you've been keeping up to date on your security practices.
While email addresses are often the target, sometimes there are larger stakes. Today we see an attack leveraging these ill gotten email addresses and Amazon to steal credit card information and identities.
There are several telling clues in this original email, but it's not bad. The attacker has spoofed the display name to read Amazon.com. However, we see the email address domain as @card_server.com which is a huge red flag. The grammar and punctuation are also a bit off, offering more clues.
Gmail quickly identified this message as "not cool" and removed all the links.
If we do follow the link URLs, we can see the full attack in action. The phishing links take us to a very familiar looking login page. Below we have a screenshot of the real and fake Amazon login pages, can you tell which one is which? There are several visual, although very subtle, clues that there's trouble afoot.
Next, this phishing attack gets downright nasty and goes straight for the victim's identity and wallet! Once we "sign in" to the phishing site, we're taken to the next level of the attack. The first screen was simply created to provide a false sense of security with a familiar site and the illusion we've authenticated into a secure area of our Amazon account.
The attacker now shows the victim a form to "update billing" information. They get vicious and request full contact information, address, date of birth, social security number and then ask for a specific credit card. If you've ever applied for a credit card, or any other financing, you know this attacker has all they need to open additional credit cards or debt in your name.
The attacker also takes steps to keep the illusion of security going all the way through the theft. Should the victim fill out the contact info form, they're shown this "success" page.
The "success" page even redirects you to the real Amazon.com as promised.
The online world can be a dangerous place. You can protect yourself with two-factor authentication. And remember, always be suspicious.
While sophisticated, this attack offered a lot of red flags throughout.
- The sender email address was from an unfamiliar domain, @card_server.com
- Amazon doesn't send emails like this
- We see incorrect punctuation and grammar throughout
- The real Amazon logon page features the Amazon.com URL and HTTPS encryption while the other offers an unrecognizable URL address
- Date of birth and SSN are not part of payment information
All in all this is a pretty impressive attack. Keep your guard up!