Cyber criminals go after Amazon Prime Day shoppers
June 2021 by Check Point
Check Point Research (CPR) spots surges in malicious activity in the run-up to Amazon Prime Day 2021, where nearly 80% of domains containing the word “Amazon” are potentially dangerous. Cybercriminals are impersonating the Amazon brand ahead of the annual shopping event in order to trick consumers into credential theft of their email addresses, payment details and passwords, and more.
• In the last 30 days, over 2,300 new domains were registered about Amazon, a 10% increase from the previous Amazon Prime Day, where the majority now are either malicious or suspicious
• Almost one out of two (46%) new registered domains containing the word “Amazon” are malicious
• Almost one out of three (32%) new registered domains with the word “Amazon” are deemed suspicious
• CPR provides examples of malicious impersonations of Amazon Customer Service, as well as the log-in page for Amazon Japan
Check Point Research (CPR) has spotted an increase in malicious activity in the run-up to Amazon Prime Day 2021, one of the largest online shopping events of the year. This year’s event, slated to occur on June 21-22, promises millions of deals and special offers to Amazon’s 150-million-plus Prime subscribers around the world. Over 20 countries, from U.S.A. and U.K., to China and more, are expected to participate in Amazon’s annual online shopping event.
Roughly 80% of “Amazon” Domains are Potentially Dangerous
In the last 30 days, CPR has found that nearly half (46%) of new domains registered with the word “Amazon” are malicious. Furthermore, 32% of new domains registered with the word “Amazon” have been deemed suspicious by CPR. Finally, CPR found that 32% of new domains registered with words “Amazon Prime” are malicious. In the past 30 days, over 2,303 new Amazon-related domains were registered, compared to 2137 in 2020.
Why Cybercriminals Spoof Domains
Domain spoofing is a popular way for cyber criminals to steal money or sensitive data. Look-alike domain registrations aim to divert online traffic and redirect unsuspecting consumers to websites that contain malware, or prompt users to provide personal identifying information. In this case, cyber criminals are aiming to hide behind the Amazon brand, so that they can target Prime Day shoppers with emails that prompt the recipient to click a malicious link or respond with sensitive information.
Example A: Impersonation of Amazon’s “Customer Service”
Below is an example that CPR found of a phishing mail, allegedly sent from Amazon’s “Customer Service”. The email prompts the opener to verify their Amazon account. CPR determined that the email was never sent by Amazon, but instead is clear phishing from (admin@fuseiseikyu-hl[.]jp). The attacker here was trying to lure victims into clicking on a malicious link, which redirects the user to http://www[.]betoncire[.]es/updating/32080592480922000. The link is now inactive.