There’s An Amazon Prime Phishing #Scam Email Making The Rounds…. This Is How It Works

I’ve come across an Amazon Prime Scam Email that you need to know about. First let’s have a look at the email itself (click to enlarge):

So it’s your typical phishing email where it claims that your Amazon Prime account has been hacked and shut down as a result. And you must update your information in 24 hours to restore service to avoid the account being locked forever. Which is the threat actor’s call to action. It has the usual bad grammar and obvious spelling issues that are typical with these emails. Plus, of note, the phone numbers for US and Canadian customers that is referenced in the email is missing a digit. As for the number, I dialled it from one of my burned phones and it wasn’t connected to anything.

What I want to draw your attention to are the links in the email. They look legit. But they are not. They are actually disguised to hide the fact that they go to Google Apps Script as evidenced here:

This script could run anything such as installing malware, ransomware, backdoors onto your computer. And three of the four links contain this URL that goes to Google Apps Script. This illustrates why you should never, ever click on any links in an email like this. Because chances are that once you click on this link, it is possible that you’re going to get pwned in some way. So I took this URL and took it to a computer that is isolated on my network and had it do its thing:

It takes you to this rather real looking Amazon page. Of interest, the reCAPTCHA at the bottom clicks itself without user input. They typically don’t do that which is another sign that the page fake. Another hint that that this is fake is that if you look at the top left, you will see the words “This application was created by another user, not by Google”. So clearly this isn’t an Amazon page. I didn’t note that it downloaded anything to my computer while I was looking at it. Which implies that this was done to get your confidence to go further down the rabbit hole. When you click on “Continue to Amazon.com” you get this:

Again, this is a real looking Amazon web page. But if you look at the URL at the top, it’s clearly not coming from Amazon.com. Thus it is fake and you should run in the other direction. But I’m going to see how far down the rabbit hole this goes by typing in a fake email address. I had to try a few as the site was built to filter out bogus email addresses like “fuckoff@stupidscammer.com” which was the first one that I tried. That took me here:

I tried typing in a fake password just to see what happened next. But there was no “next” as the site simply didn’t do anything regardless of how many times I clicked Sign-In. Presumably because at this point the site has captured my Amazon “password” and my Amazon account has been pwned. If that’s you, then you should be changing your Amazon password right now. But hopefully that’s not you and you didn’t fall for this phishing scam. And if you got an email like and this came up in your Google search, hopefully this has saved you from getting pwned.

Leave a Reply

%d bloggers like this: