An increase in phishing & malicious websites aimed at defrauding Amazon.com customers aim to make Prime Day a hackers ‘field day’.
Cyber-criminals are tapping into Amazon’s annual discount shopping campaign for subscribers, Prime Day, with researchers warning of a recent spike in phishing & malicious websites that are fraudulently using the Amazon brand.
There has been a rise in the number of new monthly phishing & fraudulent sites created using the Amazon brand since Aug., the most significant since the COVID-19 pandemic forced people indoors in March, according to a Thursday report from Bolster Research.
“As shoppers gear up for 2 days of great deals, cyber-criminals are preparing to prey on the unwary, taking advantage of those who let their guard down to snap up bargains,” researchers wrote.
Prime Day actually happens over 2 days & this year the event falls on Oct. 13 to 14. Amazon Prime customers enjoy special sales & discounts on top brands to mark the biggest shopping event of the year on the online retail giant’s site.
Amazon last year gained over $7 billion in sales during the 36-hour event, which could go even bigger this year due to “the decline of brick & mortar retail & the close proximity to the holidays,” researchers noted. Indeed, mandatory stay-at-home orders globally that began with the COVID-19 pandemic in March have significantly boosted Amazon’s business, a trend that shows no signs of stopping.
Researchers analysed 100s of millions of web pages to track the number of new phishing & fraudulent sites using the Amazon brand & logos.
Its research shows threat actors taking advantage of both Amazon features & consumer behaviours to try to lure online shoppers to fraudulent sites that can steal their credentials, financial information & other sensitive data.
A new campaign targets “returns” or “order cancellations” related to Prime Day using a fraudulent site, www.amazoncustomersupport[.]net, that mimics a legitimate Amazon site. However, closer examination of the site shows it is clearly designed to defraud consumers, researchers observed.
One piece of evidence is its use of a phone number, as “Amazon does not encourage customer service by phone & takes a great effort to find phone support on the real Amazon site,” researchers wrote.
The form on the site also requests bank or credit card information from customers. A clear intent to steal this information since Amazon always offers refunds to original form of payment or gift cards.
Further, the site also does not ask for a customer password, something Amazon always requires for purchases & returns.
Other smaller issues —such as broken links attached to the Amazon Prime Logo & a “Get Started” button also appear on the site. These also are signs of fraudulent behaviour that shoppers should look out for in general as they shop on Prime Day, researchers noted.
Another malicious site recently seen by researchers takes advantage of most consumers’ love of a free gift. The site, www.fr-suivre[.]vip, promotes an Amazon loyalty program & offers a free iPhone 11 Pro if people answer a few survey questions. After answering these questions, people are directed to a simple game that they win, & are asked to enter credit card info, so the site can charge them $1 to receive the iPhone.
The site even includes a screenshot in which “the free iPhone is validated by many others who have already received their phones,” researchers wrote. “Despite the glowing reviews, the $999 phone will never arrive, & the shopper begins to see strange charges on the credit card number provided,” they warned.
For Amazon Prime customers who plan to take advantage of the event in 2020, or anyone else shopping Amazon—avoiding online fraud is not that hard, researchers outlined. All shoppers should start directly at the source—Amazon.com & pay attention to their experience to ensure that nothing is out of the ordinary.
“Shoppers need to be aware of cyber-criminals prepared to take advantage of the situation,” researchers explained. “With some diligence & attention to detail, shoppers will be able to get those deals without getting scammed.”
Amazon, too, can take even more security steps to protect customers as its business continues to boom, with cyber-crime inevitably following, observed Kevin Beasley, CIO at enterprise management software provider VAI.
“To minimize the risk of data breaches or security issues, retailers, like Amazon, must install additional multi-factor authentication for logins & policies to protect passwords & who has access to data,” he suggested.
Online retailers across the board also should get out ahead of the busy holiday season by making their platform “a security-first environment,” Beasley observed.
This can be done “by installing additional layers of security infrastructure between the operating system & hardware platform, & continuous security testing & automating scans of hardware & software systems to seek out vulnerabilities & patch potential issues as they arise,”