Security Awareness Blog

How Can I Tell This is an Attack? - Amazon Support Phish

Screen Shot 2017-11-28 at 7.46.45 AMQuite a few folks have been asking how can they tell this Amazon email is a Phish. Below are the indicators. I like this example as it demonstrates how the bad guys are constantly evolving and adapting in their attacks. Notice in this email how there is no malicious link or infected attachment to click on, making it much more difficult for perimeter defenses to detect and stop it. Notice how all the domains used in the attack are legitimate and owned by Amazon, including any links you hover over. Notice how all the wording is professional and even very security focused. Finally, the email was sent out during the online shopping holidays making it far more likely victims would fall for this. The phish works by getting the victim on the phone. The attackers claim they are from Amazon customer support, leveraging a very trusted and known brand. Similar to tech support scams the attackers fool you into believing there are security issues with your computer and charge you $150-500 to pay for their security services. As typical in these type of phone scams, the attackers will become very belligerent or angry if you don't pay. This is why phone scams are so powerful, it is much easier for bad guys to convey emotion and create urgency than compared to email. So, how can you tell this is a phish?

  • The sender domain is @amazonsupport.com. While this is a legitimate domain that Amazon owns, they would never use this for automated emails. Amazon only sends email from @amazon.* (.com / .co.uk / etc).
  • Automated emails are not sent from actual individuals, in this case "Olivia". Automated emails are sent using aliases.
  • Sense of urgency. This is the most common indicator we consistently see across most phishing emails. The greater the sense of urgency, the more likely it is an attack.
  • Amazon would not reach out to you nor resolve security situations like this via phone. Instead Amazon almost always communicates and resolves these types of issues when you attempt to login to the site.
  • Finally, if you did call the 1.800 number, Amazon support would never ask you to install anything, which is exactly what these bad guys tried.

Bad guys are constantly adapting and changing, which is what makes this threat so challenging. This is also why technology alone cannot solve security, we need to involve the human also. And this is one advantage people have. Once trained your staff, just like the bad guys, are very adaptable. To learn more about building a secure workforce, attend our two day course on building mature awareness programs or one of our upcoming Security Awareness Summits.

2 Comments

Posted December 1, 2017 at 12:49 PM | Permalink | Reply

Brandon

Second bullet point ''" sent from individuals. It is becoming more common that companies send from a named individual as their persona, to help make things more acceptable, even if it is just for a support or other notification, "Olivia" might be a support account for some org. This does make it harder to detect phishing, however.

Posted December 8, 2017 at 12:37 PM | Permalink | Reply

Dallas H

The good news is Amazon uses SPF on the amazonsupport.com domain. The bad news is no DMARC, which is surprising. At least then they get reports when it is abused. Time to up the game!

Post a Comment






Captcha


* Indicates a required field.