February 28, 2020

Amazon Phishing Email Attack Botched By The Hackers

Amazon Prime phishing scam that went wrong for the hackers.

If you took part in any security training program, you have heard the phrase “don’t click the links in the phishing email”. But what if Sophos staff does it?

Sophos is a British security software group that offers you cybersecurity news, research and insights on the website called Naked Security. In one of their latest blog posts, people that regularly offer their readers great security advice decided to go against the rules and deliberately click on the malicious link in the Amazon phishing email. 

Be warned, this is quite dangerous. Don’t try this at work or home even if you know what to avoid, leave it to professionals. 

Game Recognizes Game, Starts To Play

Since I have warned you not to try anything similar, we are ready to review the Sophos experiment now. I would like to add a couple of notes regarding the already provided information.

According to the blog post, it all started like any other phishing attempt - an email arrived and was read, making a strong first impression. It didn’t fall into spam, which is half the job for the scammers. The subject line of the phish had only two words: “Account Locked”. Short and to the point, it garnered enough attention and invoked a necessary emotion to trigger the first click. 

This phish didn't come directly to Naked Security but to a once-widely-known email address for an old product of ours. Corporate email addresses aren't exactly secret - and once you've got onto one phisher's list you should assume you'll end up on all of them.” - shared Naked Security on Twitter.

If you are curious what subject lines are popular for Amazon phishing emails, here’s a list of examples: 

  • An issuing bank declined an attempt to charge a credit card
  • Amazon - Your Order Has Been Cancelled
  • Alert
  • Your Seller Account Funds: Action Required
  • Refund Notification
  • Account Suspended
  • Attention Required on your Amazon Seller Account
  • Review your Account!
  • Account Identity and Usage Confirmation

All these subject lines create urgency, pushing unaware users to make hasty and reckless decisions. 

When the phishing email supposedly comes from Amazon, unaware users don’t have any reason not to react. The effect is doubled when the recipient is given a reason to engage, or presented with a consequence in case no action will be taken. 

In this reviewed phishing email example it was “you wouldn’t be able to buy or sell anything via Amazon’s services until we verify your account. If no action is taken in the next 24 hours, your account will be deactivated.

After creating the problem, the target is given “an easy escape” in the form of a link that would resolve the issues in one click. It’s not realistic in the slightest, but malicious actors don’t necessarily care about that, creating less friction for the user to take the action, push the button, interact with the link, or download a file. 

The Illiterate Do Not Write Phishing Emails, They Draw Them

The next thing to look at when reviewing a dubious email is to look at the address the email came from. 

In the Sophos phishing email example, it didn’t look overly ridiculous to give away a hacker, starting with “account-update@amazon-com.*******”, with the second part being covered up from public view. Check the address field before doing anything else! It should be one of your first actions, but not the only one, as such addresses can be spoofed, meaning made to look almost exactly like the original ones. 

While looking at the address is vital, another thing to look over is, of course, the actual body of the email. When you get an obviously fake email and decide to read it, you can spot a lot of mistakes, allegedly placed there on purpose. 

Why make such mistakes?

One theory states that hackers put those typos to filter out “smart” users and lead them away from the trap. Text editors used for email crafting can catch the typos and suggest a correction, so it would be strange for online criminals to dismiss them if they wanted to get a believable text. Contrary to popular belief, phishing scammers are not awful at English, sometimes they even hire proofreaders to verify that their content is top-notch, sometimes even setting them up for a future “job”.

While the proofreading approach is more appropriate for spear-phishing emails, targeted at company employees, and not mass Internet audience, it doesn’t rule out such possibility. On the other hand, why would malicious users give anyone a hint that they are dealing with a scam? 

Well, some of the more vigilant users may click on the fake “report this email” button and get infected with malware all the same. Do not “unsubscribe” or “report abuse” when getting a malicious email! Pressing the buttons is no different from pressing the links. Moreso, try not to open emails with questionable headlines when possible, do not give hackers anything to work with.

Look out for writing errors in emails, inconsistent capitalization, redundant symbols. When inspecting the letter, mention how the service addresses you. 

Amazon will not input “dear Suspended user” or add a simple “hi” because it has your personal information. As Sophos mentioned, no service would deactivate your account so quickly, or deactivate at all, as you’re their customer, and you make them money.

The Real Swerve Of This Phishing Scam Is Uncommon

When Sophos guys decided to interact with the link to inspect what was behind it, they took a major gamble. 

Phishing emails do not lead you to sign-in forms exclusively, and often contain malware that is auto-downloaded after a single link interaction. Expecting to see another page is risky, phishing schemes vary from one author to another, you can’t apply one phishing model to all emails. I think that “Naked Security” representatives did the safe link check before proceeding, but screenshots provided there incline that it was a direct interaction.

You can carefully hover over hyperlinks to know exactly where they will take you. If you’re viewing your emails on the phone, check the embedded link by pressing and holding it down with your finger or stylus. If you don’t see any correlation with the intended source, it starts with http and not https, you have to be extra cautious.

Now when I warned you not to follow the links, let’s follow the Sophos story. They discovered a legitimate WordPress website that was compromised by the criminals, it was placed in this position to hide the trail and help make the email seem non-malicious to potential link scanners. Then there was a redirection to a second hacked company from the Middle East, once again, having nothing in common with Amazon. Just sun-shades and canopies, no phishing crooks. 

On the third redirection “the victims” got access to… the hacker’s remote access panel. Whether placed there on purpose, or by mistake, the discovered page was full of cheesy and mocking images associated with the hacking community - a skull, a “haxor” wording, and an over-the-top presentation of the panel. 

As we found out, it allowed the crooks to sidestep WordPress administration console entirely. Malicious actors could add and modify WordPress files, hide phishing pages, and the system wouldn’t log the activity, or prevent anything malicious from happening. This discovery is extremely fortunate, and it is quite bizarre all things considered.

The Segway To The Pressing Issue Of WordPress

From that point, Naked Security elaborated on the issues associated with WordPress.

WordPress powers 35% of all websites on the Internet, and that makes it a popular target for hackers, who repeatedly find and exploit vulnerabilities in the core code, themes, and plugins. Lately, there has been news about a zero-day in WordPress plugin that allowed hackers to create rogue administrator accounts.

Using these vulnerabilities hackers can either corrupt or wipe down the website, or take over it entirely, like in the examples above. If you’re the owner of a WordPress-powered website, make sure to do backups and update it regularly. Limiting login attempts and enabling 2FA make perfect sense, as is installing a web application firewall. 

While the odds of someone bumping into a backdoor by following a link in the phishing email are extremely slim, the Naked Security showcased two problems that have one thing in common. 

Internet casualties think their business or data hold no value to the criminals, and so there’s no need to protect it. This story showcases that malicious users don’t always need your data, but rather hunt for your access. Same thing could be said about the email.

To find out the real value of email, and get more reasons to start taking cyber hygiene seriously, you can take a look at the book called “The Art of Email Security”. You can hover it too, to check that it indeed leads you to Amazon.While centered around email, this book brings you enough material to be a proficient Internet user as a whole. You can learn much more about phishing emails from Amazon there, and there’s a lot more to know about that — real-life stories, more phishing email examples, different methods of leveraging phishing emails, and a way to get compromised without clicking on anything. Yes, that’s possible too.

My blog couldn't proceed your request right now.

Please try again a bit later.

Thank you for contacting me!

I will get back to you as soon as I can.

Contact me


My blog couldn't proceed your request right now.

Please try again a bit later.

Thank you for subscribing!

I added you to my emailing list. Will let you know as soon as I have something interesting.

Subscribe for email updates