Anatomy of an Amazon Phishing Attack


Phishing is the devious practice of tricking users into giving away their usernames and passwords to fraudulent sites. It is big business, and the best defence against it is constant vigilance.

I'm going to walk you, step-by-step, through a scam that targetted me today. Along the way we'll see how to avoid falling prey to these monsters.

It starts with a text

I was sent this SMS from a number that I didn't recognise.

Fake amazon SMS

Let's count the mistakes!

  1. In the UK, we place the currency symbol before the number.
  2. British English spells "authorise" with an S rather than a Z.
  3. Amazon don't send out links using the bitly shortening service.

These phishers are hoping that you're too stupid to notice the mistakes. They are also betting that you're too busy to think for a minute about whether Amazon are likely to contact you via SMS rather than email or app notification.

Let's say you're tired enough to click through, what do you find?

Stealing Beauty

At first glance, this looks identical to the regular Amazon mobile sign in page.

Amazon Scam Site

But! Look closely. There are three obvious mistakes.

  1. No https - you should know by now that you never enter your password unless the website is protected with those magic letters.
  2. The web address is not amazon.co.uk! It is some other site. Again, you should never enter a password unless you are sure that the site is legitimate.
  3. Finally - what is that � character doing at the bottom of the site? It should be a © symbol. Far too sloppy for Amazon.

Surely you wouldn't fall for this? Sadly, not everyone in the world is as bright as you.

Tell me more, tell me more

So, you unwisely entered your password. The scammers are already riffling through your Amazon account with the stolen password. They're buying themselves toys using your credit card. But they ain't done with you yet!

Amazon Scam Site asking for your info

They want everything! Once they have your home address and phone number, they can bombard you with scams. Scroll down, and it gets worse.

Amazon Scam Site asking for even more info

Your bank details! Your mother's maiden name! Are these details enough for them to fool your bank? With all the information you're giving them, they'll be able to take over your entire life!

Fool me once

Because the scammers use bitly, we can take a look at how many people are clicking through this link.

By the time Bitly had flagged the link as malicious, over 250 people had clicked on it.

A graph showing how many people clicked the link

Would you have fallen for it? These scammers are betting that you're not paying attention. That you'll blindly trust any link you see.

Phone companies are powerless to stop this sort of spam - SIM cards can be purchased anonymously, and computers can pump out thousands of texts before their suspicious behaviour is noticed.

Bitly knows it is a vector for phishing attacks, but can't check every link before it goes live.

The only solid defence is you! It is up to you to keep your wits up, to examine every message you receive, and every link you click. You have to stay safe all the time - the scammers only need to get lucky once.

If you want to harden your defences, you need to take action now.

  1. Activate Two-Factor Authentication for Amazon - even if someone steals your password, they'll also need your phone in order to log in.
  2. Use LastPass to generate strong and unique passwords for every site you use. If you use the same password on multiple sites - it is only a matter of time before one is lost, and then all are lost.

Stay safe out there!

3 thoughts on “Anatomy of an Amazon Phishing Attack

  1. I think the mistakes are acceptable - they don't want to waste their time on people who are likely to give them junk data i.e. if you fall for it, you're not going to question putting in your credit card etc.

    1. Indeed. It is quite common to see "mistakes" in phishing emails. They want to grab the attention of people with low attention to detail and high trust.

  2. There's an interesting paper on this: Herley, Cormac. 2012. Why do Nigerian Scammers Say They are from Nigeria? Proceedings of the Workshop on the Economics of Information Security (WEIS).

    I guess with social engineering becoming more and more important in the Phisher's equation, it is relevant not only for the Nigerian princes.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: