We see a lot of Amazon phishing attempts. This one is quite different to the usual ones we see. Although there are a lot of Amazon sellers, the chances of a mass malspam like this one actually being received by a seller is quite small compared with the more usual “payment review” or “your account was signed into from an unknown computer” or similar scams
You sold an item pretending to come from Amazon <[email protected]> is one of the latest phish attempts to steal your Amazon Account and your Bank details.
This one only wants your Amazon log in details and bank details. Many of them are also designed to specifically steal your email and other log in details as well.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
The original email looks like this It will NEVER be a genuine email from Amazon or any other company so don’t ever click the link in the email. If you do it will lead you to a website that looks at first glance like the genuine Amazon website but you can clearly see in the address bar, that it is fake. Some versions of this phish will ask you fill in the html ( webpage) form that comes attached to the email.
From: Amazon <[email protected]>
Date: Tue 29/08/2017 07:55
Subject: You sold an item.
Body Content:
You sell an item.
Buyer id [email protected] is ready to do the payment.
View item and details about payment with this link.
https://sellercentral.amazon.de/ap/payment?ie=UTF8&arb=5b45ac4e-9632-4b45-bacd-e62fe443648e
Automatic notification. Amazon Seller
If clicking the link doesn’t seem to work, move this e-mail in Inbox.
Amazon.com will never e-mail you and ask you to disclose or verify your Amazon.com password, credit card, or banking account number. If you receive a suspicious e-mail with a link to update your account information, do not click on the link–instead, report the e-mail to Amazon.com for investigation. Thanks for visiting Amazon.com!
The link in the email goes to https://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&cad=rja&uact=8&ved=0ahUKEwiO9aOs-vvVAhXBZFAKHY3XCYgQFghJMAc&url=http%3A%2F%2Fwww.almatulum.com%2Fcontact-2%2F&usg=AFQjCNFdrv7025EsAfzW8QKj40lSrovIbA which redirects to https://directele.net/user_guide/documentation/amazon.co.uk/Amazon-Sign-In.htm?adenlankenadransakbnizwetmilrtuniietnnudbenwdiaateaaleeaallilaadmusmdzmnlelubbaalamzsnaittsndakaweiuidaawnamdlerendeuedimnailtrdtaknzeaanmleni4493782410
I really wish Google did not allow open redirects on their services. Hundreds of researchers feel this is a security risk but Google blindly ignore everybody and say it is by design and not a security risk at all. Many unwary recipients will see the google link & not look any further and think.”It is Google, so it is safe”
If you follow the link you see a webpage looking like:
When you fill in your user name and password you get a page looking like this, asking for your bank sort code and bank account number. I am not quite sure what they can do with this on its own without passwords or bank login details. However knowing that quite a high proportion of users do re-use login details and passwords on multiple sites, it is not beyond the realms of possibility that your Amazon account, email log in and bank log in all share a password.
You then get redirected to the genuine Amazon suite for your country
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details.
Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.