A sophisticated phishing campaign targeting Amazon Prime members has been uncovered, aiming to steal credit card information and other sensitive data.
Cybersecurity experts have identified a complex attack chain that leverages PDF attachments, redirects, and cleverly crafted phishing sites to deceive unsuspecting victims.
The campaign begins with malicious PDF files containing links to phishing sites impersonating Amazon.
Researchers have collected 31 such PDF files, each with a unique SHA256 hash.
While the security analysts at Unit42 noted that these PDFs redirect users through a series of URLs, ultimately leading to a fraudulent site designed to capture credit card information.
Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free
Initial Attack Vector
The attack chain typically follows this pattern:-
- Users receive an email with a PDF attachment
.webp)
- The PDF contains a link to an initial URL
.webp)
- This URL redirects to a subdomain of duckdns[.]org
.webp)
- The phishing site then attempts to steal credit card data
Researchers have identified several key components of this phishing operation:
- PDF Hashes: 31 unique SHA256 hashes have been associated with the malicious PDF files.
- Initial URLs: Most links in the PDFs point to subdomains of duckdns[.]org, with a few using redirectme[.]net.
- Cloaking Techniques: The phishing websites employ cloaking to redirect scans and analysis attempts to benign sites.
.webp)
- Infrastructure: Domains for initial URLs and intermediate staging URLs are often hosted on the same IP addresses.
A typical attack flow observed on January 24, 2025, proceeded as follows:-
- hxxps[:]//redixajcdkashdufzxcsfgfasd.duckdns[.]org/CCq8SKn
- hxxps[:]//ahyewifjksdhfjhjgsdfhjdsasdzxcs.duckdns[.]org/?verify
- Multiple CSS and favicon requests to mimic legitimate Amazon pages
- Final phishing page: hxxps[:]//ahyewifjksdhfjhjgsdfhjdsasdzxcs.duckdns[.]org/security-check/secure?_ts=e69618fc9
The campaign’s reach is significant, with over 1,230 new domains associated with Amazon emerging in June 2024 alone. Alarmingly, 85% of these domains were flagged as malicious or suspicious.
This surge in domain registrations coincides with the approach of major shopping events like Amazon Prime Day, indicating the attackers’ intent to capitalize on increased online shopping activity.
To combat this threat, experts recommend taking several precautions. Carefully scrutinize URLs, especially those claiming to be from Amazon, and ensure the websites you visit use HTTPS and display a padlock icon for security.
Be cautious of emails that urge immediate action or request sensitive information, as these may be phishing attempts. Protect your Amazon account by using strong, unique passwords and enabling multi-factor authentication whenever possible.
Amazon has stated that it initiated takedowns of more than 40,000 phishing websites and 10,000 phone numbers used in impersonation schemes in 2023.
The company also employs advanced email verification technology to help customers identify authentic Amazon communications.
By staying informed and following best security practices, shoppers can better protect themselves from falling victim to such scams.