With Amazon Prime Day (two days) starting today, Avanan
researchers have warned security teams that hackers are taking advantage of
Amazon's popularity to send phishing and credential harvesting emails.
Starting in June 2022, Avanan researchers have seen an
uptick in spoofed Amazon attacks, whereby hackers are trying to steal
credentials in the hopes that users will think it's the actual Amazon brand
emailing. In their latest blog post, Avanan analyzes how hackers are spoofing
Amazon to steal credentials.
https://www.avanan.com/blog/with-prime-day-around-the-corner-be-on-the-lookout-for-these-amazon-scams
Here's what security experts have to say about this:
##
Patrick Harr, CEO at SlashNext, a Pleasanton, Calif.-based anti phishing company:
"Shoppers anxiously await the amazing offers and discounts
revealed during the two-day sale Amazon Prime Day sale, and bad actors are
lying in wait to take advantage of the excitement. Right now, SlashNext has
tens of thousands of live malicious Amazon phishing URL in our database, which
has increased over the last 72 hours. Most are scams designed to take advantage
of Amazon Prime Day shoppers looking for deals. There are also more dangerous
phishing attacks included credential stealing, and rogue software which can
lead to ransomware and account takeovers."
++
Darren Guccione, CEO and
Co-Founder at Keeper Security, a Chicago-based provider of zero-trust and
zero-knowledge cybersecurity software:
"All Amazon users should be mindful of spoofed or unauthentic
emails. Cybercriminals utilize this common attack vector because
people often focus on the branding and aesthetics of the email to mistakenly
click a malicious link. Outside of an order summary or a notification of a
remote account login (or login from a new device), Amazon rarely sends
advertising emails. Thus, we do not recommend clicking on any links from emails
purportedly sent by Amazon which in actuality, may originate from a malicious
attacker and thus may not be authentic. These links could contain malware or
route a person to a nefarious website to enter their account credentials.
Always check the URL that the site navigates you to.
If an Amazon account holder wants to transact with Amazon,
it is best to go directly to their website and better yet, use a password
manager. For example, Keeper routes and authenticates users to and with
authentic sites and; notifies a user when a URL they navigate to doesn't match
their data stored in Keeper."
++
Hank Schless, Senior
Manager, Security Solutions at Lookout,
a San Francisco, Calif.-based security service edge (SSE) provider:
"Attackers will leverage any current event to target
consumers with phishing campaigns. We frequently see this around the
traditional holiday season with fake Black Friday and Cyber Monday deals and
package delivery notifications. These are typically phishing campaigns
that target consumers in order to steal personal login credentials. The
attacker can then attempt to use the credentials across tens of thousands of
online banking sites, healthcare platforms, and other places with valuable or
sensitive data. This is a process known as credential stuffing.
As a best practice, you should never click on a shortened
link (ex: bitly or tinyurl links) that is paired with an offer or
advertisement. If you receive one of these links from a contact in your
phone, call that person to validate that it was really them. This incident
also shows how important it is to protect yourself from phishing attacks on
your mobile device as attackers increase the volume and believability of their
malicious campaigns."
++
Ryan McCurdy,
Vice President of Marketing at
Bolster,
Inc. , a Los
Altos, Calif.-based provider of automated digital risk protection:
"Three-quarters of companies worldwide have experienced some
form of phishing attack as it's one of the easiest tactics that hackers use to
steal data from employees, customers, and partners. The main reason that
phishing scams are so convincing is that they often mimic the look of a brand
or a credible person down to a very fine detail. To make matters worse, they
prey on human action bias, with a call to action stating that attention must be
taken right now.
As employees adapt to unfamiliar work environments away from
the office, their primary focus is not necessarily on security and robust
methods of authentication. Unfortunately, too many organizations still depend
solely on passwords to gain access to devices, applications, and networks. Yet,
passwords come with a range of inherent weaknesses - they can be easy to guess,
they get reused and, of course, they can be phished. Credential stuffing
attacks depend on the ill-advised practice of password reuse."
##