Buyers beware: Hackers poised to make Amazon Prime Day into a prime phishing day

Analysis of hundreds of millions of web pages found phishing and fraudulent sites using the Amazon brand and logos poised for big Prime Day sales, according to Bolster Research.

email-data-phishing-with-cyber-thief-hide-behind-laptop-computer-vector-id1164097820-1.jpg

Image: iStock/OrnRin

It's bigger than Black Friday and Cyber Monday combined: Amazon Prime Day, the mega-site's biggest annual retail event. For two days, Oct. 13-14, special sales are offered across departments. With shopping malls still closed and other retail stores operating with reduced hours and limited capacity due to COVID-19, Amazon may see its biggest Prime Day yet. But a new report reveals that cyber criminals are poised and ready to take advantage of enthusiastic shoppers who might not be paying close attention to the link they're clicking on, anxious to get a good deal. 

SEE: Identity theft protection policy (TechRepublic Premium)

Analysis of hundreds of millions of web pages led to tracking new phishing and fraudulent websites using the Amazon brand and logos--the fake sites are trying to replicate the actual Amazon site in the hopes of hacking into the unsuspecting "customer's" personal information.

Bolster Research used deep learning, natural language processing and computer vision to determine what is informational and what is used to reveal logins, passwords or credit card information. 

Bolster is confident that protests at Amazon CEO Jeff Bezos' house won't deter shoppers from taking advantage of Prime Day: "This year's Prime Day will likely be the biggest ever, and the protests against Amazon will have zero effect," said Abhishek Dubey, co-founder and CEO of Bolster. "People are shopping online, and nobody can resist a good deal."

SEE: Amazon Prime Day 2020 is Oct. 13-14: How to get the best deals (TechRepublic)

Bolster provided a chart of the new, monthly phishing and fraudulent websites, created using the Amazon brand, showing a spike in March at the start of the pandemic, dipped in April, but has pretty much risen to the year's so-far high in August.

chart-1.jpg

Image: Bolster

Criminals--at least successful ones--are well prepared. "Criminals were likely gearing up for the originally anticipated Prime Day being in July like last year," Dubey said. "However, when it was delayed, they probably just put those plans on hold. Creating a fake site to steal information or harvest credit cards doesn't take too much effort. The planning probably occurred a couple months in advance, but the execution of the fraud campaign likely occurs within a week or two before the actual Prime Day to avoid detection."

Fake campaigns

The phishing campaigns not only attempt to very closely resemble an actual Amazon page, but choose oft-used actions and verbiage. For example, one campaign targets Amazon "returns" or "order cancellations" related to Prime Day. 

For example, www.amazoncustomersupport.net, is clearly designed to mimic an authentic Amazon site, and the webpage could easily fool an unsuspecting shopper.

"The biggest sign it is a scam is the URL," Dubey said. "One technique that criminals are using is to create fake URLs that are long so you can't really tell what the domain is. For example, you may be directed to a link that looks something like "amazon.com.prime_day_deals/xyz.info." Shoppers may see the "amazon.com" and think this is a legitimate site, but a closer look shows that this page is hosted on the "xyz.info" domain. "

fraudulent-site.jpg

Image: Bolster

Password free, fill-in-the-blanks

  • Bolster's report explained that upon closer inspection, there are signs the site is not legitimate. Phone number in the upper right corner: Anyone who has had issues with an Amazon ordered and tried to contact them by phone knows Amazon doesn't promote customer service by phone, and it's nearly impossible to find a phone number on the authentic Amazon site. 
  • Phishing for information: The page shows a form with fields for customer information, including "debit card" information, bank routing number; Amazon always offers refunds or gift cards.
  • No password: Amazon requires an Amazon account to make purchases and returns.

An iPhone for taking a survey

While there are companies that offer Amazon "reviewers" free products for a review (the disclaimer should be included in the posting), Amazon is not a "sweepstakes" kind of website, and you won't find discounts on Groupon or coupons on RetailMeNot. So, when a seemingly Amazon page claims to be from a loyalty program and offers a free iPhone in return for answering a few questions, close the page. 

The questions are no-brainers, and then users are directed to a game that seems challenging, but surprise! They win. They're then required to enter credit-card information so they are charged $1 to receive the phone, which will arrive, courtesy of a courier, in five to seven days

The "free iPhone" is supposedly validated by reviews of other Amazon customers who received the phone. Sadly, the reviews were fake and the phone will never arrive, but the customer will begin to see strange charges on the credit card they used. 

fraudulent-site-2.jpg

Image: Bolster

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

Preying on the vulnerable

Cyber criminals must keep apprised of new trends, which will help them in their efforts to phish and defraud. Prime Day 2019 yielded more than $7 billion in sales during the 36-hour sales event. And because of COVID-19 and the brick-and-mortar retail situation, 2020 is looking fresh to hackers. It's time to be hyper-aware. 

Skirting scams on Prime Day

There are few who are fully flush with coin, who can purchase whatever they want for whatever price. But being smart and vigilant will get shoppers authentic good deals, and protect privacy and personal information from malicious bad actors. 

Top phishing safety tips from Bolster

  1. Start on Amazon.com
  2. Start directly on the actual Amazon site. 
  3. Do not shop via e-mailed links or ads on social media.
  4. Prime Day purchasing is going to be the same as any other Amazon purchase.
  5. If a step is different from what you're accustomed to, now is the time to take a good look at the page you're on--check the URL.
  6. Checking out will be the same process as usual.
  7. Make sure there are no broken links or issues with navigation.
  8. Don't re-enter saved information. Ensure the purchase experience is unchanged. If you are asked to reenter, the likelihood that the site is fraudulent is extremely high.
  9. Inspect site usability and details; leave if they are incorrect.
  10. Look at the images on the page: Not just the product images, but the image of the logo, and misplaced buttons. If any are blurry, review security safety steps.
  11. An easy test is to click on the Amazon logo in the upper left corner; a fake site is not going to direct you to the real site because it needs to keep users on the fake page.
  12. Don't click on links found in product reviews, answered questions, or product descriptions, Dubey said. "Amazon polices pretty closely this type of activity, but there is always a chance that a link may get through the different layers of security."

What to do if you're phished

It's in Amazon's interest to shutdown and/or catch these cyber criminals. "Amazon is likely anticipating these attacks, and they likely have a team to monitor and assess this problem," Dubey said. "I don't think they will issue warnings to customers since that would give the impression that they do not have a handle on this problem."

Dubey also noted that the only recourse for customers who are scammed is "is through their credit card or financial institution. Some payment cards have online shopping guarantees and protection for consumers for unauthorized charges."

Amazon can take control: "Amazon can shut them down by working with the hosting companies," Dubey explained. "The challenge is finding the sites and then submitting the documentation to have them taken down. The process is often manual, and companies are not able to keep up with the sheer volume of phishing and fraud sites. Using artificial intelligence (AI) to find and assess the fraudulent nature of these sites and automating the takedown process allows companies to keep up with the criminals." He added that Bolster "can scale to take down thousands of sites per hour."

Finally, Dubey warned, "Prime Day can be a frenzy because inventory does run out. In their goal not to miss out, people do often overlook signs such as low resolution/blurry images or graphics or a completely new site layout they have never seen before. Another sign people may not notice is the changes in location of buttons or links. For example, no matter where you are on the Amazon site, the shopping cart is always on the upper right. It will likely not be there on a fake site, but people miss these small details and just assume that it's a special page for the Prime Day event."

Also see 

By N.F. Mendoza

N.F. Mendoza is a writer at TechRepublic and based in Los Angeles. She has a BA in Broadcast Journalism and Cinema Critical Studies and a Master's of Professional Writing, both from USC. Nadine has more than 20 years experience as a journalist coveri...