A sophisticated phishing campaign targeting Amazon Prime members has been uncovered, using malicious PDF attachments to steal sensitive information, including credit card data. The attack begins with users receiving an email containing a PDF file, which includes a link leading to a phishing website impersonating Amazon. The links within these PDFs redirect users through a series of URLs, ultimately guiding them to fraudulent pages that are designed to harvest credit card details.
Security researchers identified 31 unique malicious PDF files associated with this campaign, each containing a unique SHA256 hash. The malicious URLs primarily point to subdomains of duckdns[.]org, with a few also using redirectme[.]net. These phishing websites employ cloaking techniques to deceive security measures, redirecting scanners to benign sites to avoid detection. The infrastructure behind the campaign often involves domains and subdomains hosted on the same IP addresses, making it more difficult for analysts to track.
The attackers appear to be timing their campaign to coincide with major shopping events, such as Amazon Prime Day, which increases the likelihood of victims falling for the scam. In June 2024 alone, over 1,230 new domains associated with Amazon were registered, with a disturbing 85% flagged as suspicious or malicious.
These domains serve as part of the broader phishing operation that aims to take advantage of increased online shopping activity to steal sensitive data.
In response, cybersecurity experts recommend a number of precautions to avoid falling victim to such attacks. Users should carefully inspect URLs, ensuring they use HTTPS and display a padlock icon for security. It’s also advised to be cautious of emails that pressure recipients into immediate action or request sensitive information. Amazon has been proactive in combating these scams, taking down thousands of phishing sites and phone numbers, while urging customers to use multi-factor authentication and strong, unique passwords for added security.