There is an Amazon phishing scam currently making rounds, so you better keep an eye on your inboxes, assuming your spam traps haven’t picked up on this one yet. And much like majority of phish campaigns, this one also begins with an email. The samples we retrieved all originated from the Linode server (24.236.39.51).


click to enlarge

From: Amazon <notify@ukamazonverify[DOT]co[DOT]uk>
To: {recipient's email address}
Subject: You have [1] new message
Message body:
IMPORTANT NOTICE

As you may be aware on August 3rd, some of our customers accounts were compromised, resulting from data theft of
2,592 account records. This breach represents a small fraction of Amazon's total customer database, the overwhelming
majority of which are held in a secure data centre.

Although the issue is now fully resolved we ask all our customer to complete our account verification process. This will only take a few minutes and will ensure the safeguarding of your account information. Please click the link below to get started.

GET STARTED

Please Note: Failure to comply with our account verification process may lead to restrictions being placed on your account.

Best regards,
Amazon Customer Support

In case you’re not up to speed with the news, let us be the first to say that Amazon wasn’t compromised or breached last month.

The “Get Started” text is, of course, a link leading to the phishing page (screenshot below), which is at ukamazonverify[DOT]com:

click to enlarge

One must provide entries into the text boxes for the site to check, else the user won’t be able to proceed.

After text boxes have been filled out, the user is taken to another page asking for more details, which includes personally identifiable information (PII), payment card details, and account security details (screenshot below).

Phishing Page: Verifyclick to enlarge

The page then changes after clicking the Validate button to tell users to wait as this site processes all their details, complete with a “spinny” indicator to denote that indeed some semblance of data processing is taking place at the background.

Spinniesclick to enlarge

What users don’t realize is that they’re actually taking their cue from a GIF file, and not an actual indicator, as they wait for what happens next. In the end, they are directed to the real Amazon UK site.

ukamazonverify[DOT]com is created two days ago, along with other domains registered under a specific email address from 126[DOT]com, a popular email provider in China.

Some browsers have already flagged the domain as a potential threat, which is great. Dear Reader, when you see a similar email like the one above in your inbox, simply delete them, and don’t think too much about it.

Jovi Umawing (Thanks to Steven)