Skip to content

Amazon Prime customers targeted in a new phishing campaign

  • by
  • 2 min read

A new phishing campaign has been discovered targeting Amazon Prime customers by tricking them into thinking their subscription is about to expire. The campaign uses bogus PDF documents that link to websites impersonating Amazon, stealing a victim’s sensitive account data and credit card information.

Threat intelligence analysts from Palo Alto’s Unit 42 research division were the first to confirm the campaign. They also uncovered as many as 31 fake PDF documents being sent to victims and claim that the threat actors have registered more than 1,000 domains, all designed using Amazon’s brand identity in an attempt to associate themselves with the e-commerce platform since at least June 2024.

The modus operandi of the campaign is rather usual. Users are tricked into opening an email attachment with one of the 31 PDF files by a misleading email claiming their Prime membership is expiring. This initial link is redirected multiple times before landing on the phishing site. These phishing websites also use cloaking to redirect scans and other analysis attempts to benign domains.

During their investigation, the researchers found that none of the 31 PDFs had yet been uploaded to VirusTotal, indicating that anti-phishing measures may not yet be aware of the ongoing campaign and, hence, unable to block associated malicious URLs effectively.

Once on the phishing site, users are prompted to enter their Amazon credentials and credit card information under the guise of renewing their subscription. However, these details are then funnelled to the attackers. Candid.Technology found no posts on popular dark web forums selling such data. This means that the campaign is either underway and threat actors are binding their time before the scam comes to light and they start selling data or are misusing these details to target victims and carry out individual scams.

As with most phishing URLs, the best mitigation is not opening any PDF attachments you weren’t expecting, regardless of their source. If in doubt, we recommend contacting the original sender to confirm the validity of a PDF or URL before clicking such links and entering any information they demand.

In the News: Garmin watches security flaw exposes sensitive data

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of cisco 3289sd

Cisco patches high-severity flaw in Webex client

This is an image of dark web hacker security

European diplomats’ wine-tasting invite turns into a malware-laden nightmare

A computer screen displaying the word 'security'.

MITRE-backed CVE program to lose funding for operations

This is an image of google ads featured

Google blocked over 5 billion ads in 2024, claims new report

This is an image of hacked security illustration 11

Hackers are disguising Python malware as coding challenges, crypto devs targeted

Facebook rebrands to meta; aims to become a 'social tech' company

Meta resumes training AI models on EU user data

>