Amazon customers are the most recent victims of a unique phishing attack that impersonates the company to trick them. This campaign employs a technique known as ‘Living Off Trusted Sites’ (LOTS), where attackers use well-known platforms to create and host their malicious content.
The attackers bypass detection by utilising Google Drawings and shortened links created using WhatsApp, allowing them to steal critical information from unsuspecting victims.
Menlo Security researcher Ashwin Vamshi has discovered a complex phishing vulnerability that pushes the boundaries of social engineering. This method is designed to evade detection while targeting your Amazon account credentials, including login details and payment card information.
A Tricky Phishing Route from Amazon to WhatsApp
Phishing emails that appear to be links for verifying Amazon accounts are the first step in the attack. The goal of this most recent LOTS attack is to trick the victims into clicking on a fake Amazon link through the use of a simple email.
After clicking, a graphic that resembles a valid Amazon account verification page prompts customers, warning them of “unusual account activity.” However, attackers host this graphic on Google Drawings, a tool within the Google Workspace suite.
Google Drawings allows attackers to enter URLs into drawings, and many security systems fail to identify these hyperlinks. If a user is tricked into clicking the link, they are redirected to a fraudulent Amazon login page.
A WhatsApp URL shortener can obscure the actual location of a verification link, which often only leads to an image. When a victim clicks the “Continue Verification” link, they are redirected to what appears to be an Amazon Sign-In page.
However, the link, created with the WhatsApp shortener “l[.]wl[.]co” leads to a fake Amazon login page. This is the second step in the LOTS exploit kill chain. Here, the victim unintentionally exposes itself to four more information-gathering attacks because they think they are going through a security check.
Attackers include “l[.]wl[.]co” because shortened WhatsApp links created by this service do not notify users that they are being redirected to a different website. To add another level of deception, the attackers use “qrco[.]de,” a site that shortens URLs for dynamic QR codes.
When a user logs in with their Amazon credentials, they are routed to an a series of sites that are designed to look authentic:
- Security Check: The first page requests the user’s date of birth and phone number before proceeding.
- Billing Confirmation: Next, they are asked to confirm their billing address on a page that appears to be an official billing form.
- Payment Verification: The user is prompted to enter their full payment card details, including the cardholder’s name, full number, expiration date, and security code.
- Finish: After this, the user reaches a “Finish” page where their information is allegedly being verified. This webpage may contain fictitious success messages, but it reassures the victim that their information is being “verified”.
Eventually, users are sent to the fake Amazon login page, which convincingly replicates every element of the real website, including validation checks, standards for password format, and requirements for usernames.
The entire process collects the victim’s personal and financial information while convincing them that they are dealing with Amazon’s legitimate security checks.
At Phishing Tackle, we know all too well that security technology is often left incorrectly configured. Security Awareness Training remains one of the most cost-effective methods of boosting cyber-security within your business. Have a look at our free Click-Prone® Test to find out how many of your staff are susceptible to a phishing attack and learn how you can reduce this number today.
