Amazon Prime Day leads to spike in phishing attempts

Ahead of Amazon Prime Day, a highly-anticipated two-day online event, Bolster Research analyzed hundreds of millions of web pages and tracked the number of new phishing and fraudulent sites using the Amazon brand and logos. The researchers observed a spike in the number of new monthly phishing and fraudulent sites created using the Amazon brand since August, the most significant since the COVID-19 pandemic forced people indoors in March.

Shashi Prakash, CTO of Bolster, says, "The huge spike in phishing and fraud sites in September is a strong indication that cybercriminals will be active and trying to profit from the Prime Day frenzy. Shoppers need to stay alert to avoid giving up their personal information or buying products on fraudulent sites for things they will never receive. The best way shoppers can protect themselves is by understanding how to discern safe, secure activity from concerning warning signs that sites are fraudulent to avoid scams."

“Are you ready for another wave of phishing and online fraud? Because it’s coming and you can hardly miss it, thanks to Amazon’s ubiquitous promotion of Prime Day. It won’t be Amazon doing the scamming—it will be the same folks who take advantage of every other thing that excites us, scares us, or moves us to flock online in droves," says Tom Pendergast, Chief Learning Officer at MediaPro, a Seattle, Washington-based provider of cybersecurity and privacy education. "Just like we see during other times of the year, including tax time, elections, and the steady tick of coronavirus news, Amazon’s Prime Day will prompt cybercriminals to set up all manner to traps for people whose (rightful) enthusiasm outstrips their skepticism.”

Brandon Hoffman, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services, notes that Amazon Prime Day(s) represents a unique opportunity for cybercriminals because there will be a massive focus on special deals. "This creates a situation where people may be scrambling to get a special deal on something and may allow them to overlook common suspicious activity. Another consideration is that Amazon security teams will likely be on high alert for fraudulent activity but that may overshadow some other standard areas of focus leaving a blindspot for less overt tactics against Amazon directly. Specifically malvertising links for Amazon deals that lead to malware or phishing attempts offering early access or special deals."

Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, says, “We saw a massive spike in COVID-19-related scams when the pandemic first broke out. So it makes sense that there would be a spike in Amazon-related URLs, especially at a time when online shopping has become the primary way people are purchasing things."

At the start of the pandemic, Schless says Lookout observed a 37% increase in mobile phishing attempts. Most of these attempts were directly tied to COVID by posing as relief funds, medical updates, or entertainment for life in isolation.

"People shop on their smartphones and tablets more than ever before. Threat actors know that. We receive messages about new deals and shipping updates through SMS and social media platforms all the time. Phishing campaigns based on something like Prime Day are built to mimic those communications. We’re programmed to interact quickly with notifications on our mobile devices," Schless adds. " It also doesn’t help that mobile devices have smaller screens and simplified user experience that makes it more difficult to spot many of the red flags that would usually warn us of a phishing attack. I’ve seen mobile-specific phishing campaigns recently where they target users with fake SMS messages pretending to be their local package delivery service. When the user taps the link in the message, they’re asked to identify themselves by entering their credit card number or other personal data."

Steve Durbin, managing director of the Information Security Forum, a London-based authority on cyber, information security and risk management, says, “These days, we are all overwhelmed by emails from different organizations providing offers that ‘we can’t refuse’. Our appetite for information is immense and cybercriminals know this. Therefore, there may be attachments or links offering further details or information and encouraging us to click before we think. Very few communications with such links or attachments will be anything other than scams and they should be avoided."

So, how can users protect themselves, their data and their money during this event?

Ray Kelly, principal security engineer at WhiteHat Security, a San Jose, Calif.-based provider of application security, notes, “Social engineering remains a common method for attackers. Humans are often the weakest link in the security chain. Proper training and employing services that test human exposure to social engineering attacks, such as phishing, can be vital to help prevent someone from becoming the next victim.”

"Always think before you click. Take a moment to ask yourself, does this look like a real email? If it has an embedded link or attachment, those are the first things that should set off warning signals," Durbin notes. " Is this a site that you’ve seen before? It is far better to use a well-known brand or one you or colleagues, family, or friends have used in the past. These are questions you need to ask yourself.”

Schless says, "To protect yourself from mobile phishing attacks, you should never tap a link from a number or person you don’t recognize. If possible, contact the sender and validate the communication before interacting with the link. If you do tap one of these links, read the full URL in the browser. Phishing sites often use URL spoofing to look like the Amazon website, for example, but when you view the full URL it’s actually something very different. You should also protect your phone and your personal data by using a mobile security app that offers phishing protection. Not only will this keep your personal data safe, but it also helps protect any work data you access from your personal smartphone, tablet, or Chromebook.”

"Users should exercise caution and operate specifically within the Amazon website or the Amazon apps as opposed to clicking on banner ads or emails, unless the email has been vetted or verified," says Hoffman. "Corporate users who casually browse or shop on their devices may have the benefit of security controls implemented by a security team. However, if corporate users happen to unwittingly bypass those controls the damage will be much more significant than a home user. The most important things users should keep in mind is to work directly on Amazon sites and apps and email confirmed to be direct from Amazon. These basic considerations should help most users avoid an unnecessary unfortunate situation.”

Matt Rose, Global Director of Application Security Strategy, Checkmarx, says, “The delay of this year’s Amazon Prime Day carries large-scale security implications, as cybercriminals have now had ample time to create more sophisticated, targeted campaigns than in years past, such as phishing and crypto-style attacks. Additionally, a record volume of shoppers are expected to take part in Amazon’s Prime Day this year, with COVID-19 creating an increased reliance on e-commerce and the timing of this year’s event falling right before the holidays. This has the potential to be a recipe for disaster, as attackers recognize that their schemes can be cast amongst a wide net of victims."

"With this, and Verizon’s 2020 Data Breach Investigations Report finding that vulnerable web applications are the main cause of retail data breaches, Amazon Prime Day and the upcoming holiday season more broadly should serve as a reminder that all e-commerce brands should prioritize the security of the apps and software to create a safe online shopping experience for customers. Brands who are developing and deploying new web and mobile applications must conduct early and regular security tests throughout the software development lifecycle. For those with applications already in-market, regular security scans should be conducted on a predictive and consistent basis by leveraging automation of AST technologies to uncover new software flaws that may arise, especially when dealing with open source code, with timely patches and updates released accordingly. Additionally, taking a microscope to API integrations is critical to ensure that third-party vendors and software providers are employing the same security standards that your organization expects," says Rose.

Rose adds, "At the end of the day, it’s important for e-commerce brands to remember that it’s not just their infrastructure they’re protecting, but also the data of their trusting and loyal customers. On the flip side, it’s equally important for consumers to elevate their security awareness around Prime Day and the holiday shopping season. As they rush to take advantage of lightning and flash sales and secure the hottest gifts of the year, it’s important to pause, ensure you’re shopping from a trustworthy vendor and through a reliable application, and that you aren’t inadvertently purchasing an item with known, or potential, security flaws. Before clicking ‘buy,’ ask yourself if this is really something you need and if the convenience pros for something like an IoT device outweigh the potential privacy cons.”

Situational awareness should be at the forefront of your security program. It can mean the difference between life and death in a workplace emergency.

Security’s digital transformation is now entering stage 5. Complex security technologies are connected to HR systems, global security operations centers, and other building technologies in a world where employees now work in two places: home and the corporate office.