Scam alert

Amazon Credential Phishing

We choose to feature this scam e-mail because it uses some techniques we don't get to see very often.  Otherwise, it's ...


We choose to feature this scam e-mail because it uses some techniques we don't get to see very often.  Otherwise, it's a standard credential phishing scam.  Credential phishing is where scammers/attackers try to trick you into providing your legitimate credentials to their illegitimate website so they can use them for their own purposes.  An unfortunate reality of this is that many people use the same credentials across multiple services/websites so the scammers are able to compromise not just the service that claim to be, but many others. This is called credential stuffing.

The first technique we don't see often is the use of visual spoofing.  Look at the "a" in Amazon in the "From" field below.  It's not actually an "a", but the Alpha symbol.  They likely did this to throw off basic e-mail filtering.  Also notice the "account.com" in the "To" field is misspelled.  When we read our minds often skip over these small misspellings.

The second technique is the attached PDF on the e-mail.  The e-mail itself it innocuous enough to get through most e-mail filters are it doesn't have any links or images that look suspicious.  Instead, the more official looking attached PDF has the link to the scam site in it.  You can see in the image that the link doesn't go to to Amazon; instead it goes to Tumblr.

The scam e-mail

The PDF attached to the scam e-mail

Identifying Traits

  • Incorrect sending domain.  Amazon would send e-mails from Amazon.com.
  • Poor English.  If scammers ever learned English syntax we'd be in trouble.  Until then, odd language and misspellings are easy indicators of scam e-mails.
  • Visual spoofing.  The Alpha symbol is sneaky, but it's a sign that something isn't correct here.
  • Not sent to you.  This sort of e-mail would be sent to a specific person, not to a vague e-mail address.
  • PDF attachment.  Usually you would get invoices in PDFs, not something that says your account is compromised.  If it feels suspicious, it probably is.
  • Links go somewhere else.  The links in the PDF don't go to Amazon's website. Legitimate services would definitely send you to their own website.

What It Does

This one isn't too complicated on what it does.  Not nearly as interesting as the last one we analyzed!  Check out that one here.  If you click the link in the PDF it will take you through a Tumblr redirect to multiple other redirects to eventually show a fake Amazon log-in screen.  If you provide your credentials the site will log them and be used for nefarious purposes.

Similar posts