Threat actors have recently been discovered to perform a multistage phishing campaign that imitates the order notification page of Amazon, involving a fake customer voice number used by attackers to request the credit card details of the target to supposedly correct a wrong order.
Security researchers have noted that phishing attacks have become more sophisticated as they combine email and voice to lure victims. Furthermore, they have also been leveraging big brands like Amazon to conduct fraud.
The victim will initially receive an email that shows an Amazon order worth over $300. Since the victims did not place any order, they will be clicking on the link attached to the email and be redirected to the real Amazon website. If the victim tries to call the service number, no one from the line will pick up.
However, the threat actors that seem to be from India will call back after a few moments. The phoney customer service representative will instruct the victim to provide their credit card and CVV details to cancel the fake order.
The success of these phishing scams in spoofing Amazon orders can give profit to the threat actors and serve as a phone number harvesting tactic.
The contact numbers that the hackers have harvested can be exploited in future attacks through text messages, emails, or voice mails.
Another brand impersonation scam was reported by security analysts when threat actors spoofed Proofpoint, a software company, to steal victims’ Google and Microsoft email credentials. The phishing email attaches a secure file sent by the fake Proofpoint as a link. Upon clicking, the victims will be redirected to a fake Proofpoint landing page with a dedicated login form for Google and Microsoft.
According to experts, the scam aims to pretend as trusted security brands and software firms to prey on victims’ trust and likely succeed in their operations.
A multistage phishing scam benefits the threat actor for the Amazon case, especially if the victim calls. The reason is that when the victim reaches out for a call, it is most likely that they already bit the bait, and there is a high chance that there will be a conversion from them.
Experts recommend that users who receive such type of suspicious email must look up the sender’s email address. Emails from Amazon should have a legitimate Amazon domain name address and not from a Gmail account. Customers should also recheck their Amazon accounts and contact Amazon directly in any case of mistaken order invoice.
Moreover, it is not advised to call on unfamiliar phone numbers provided on suspicious emails.
