{"id":1581,"date":"2025-01-28T10:04:54","date_gmt":"2025-01-28T10:04:54","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/01\/28\/new-phishing-campaign-mimic-amazon-prime-membership-to-steal-credit-card-data\/"},"modified":"2025-01-28T10:04:54","modified_gmt":"2025-01-28T10:04:54","slug":"new-phishing-campaign-mimic-amazon-prime-membership-to-steal-credit-card-data","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/01\/28\/new-phishing-campaign-mimic-amazon-prime-membership-to-steal-credit-card-data\/","title":{"rendered":"New Phishing Campaign Mimic Amazon Prime Membership To Steal Credit Card Data"},"content":{"rendered":"<p>    New Phishing Campaign Mimic Amazon Prime Membership To Steal Credit Card Data<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A sophisticated phishing campaign targeting Amazon Prime members has been uncovered, aiming to steal credit card information and other sensitive data.<\/p>\n<p>Cybersecurity experts have identified a complex attack chain that leverages PDF attachments, redirects, and cleverly crafted phishing sites to deceive unsuspecting victims.<\/p>\n<p>The campaign begins with malicious PDF files containing links to phishing sites impersonating Amazon.<\/p>\n<p>Researchers have collected 31 such PDF files, each with a unique SHA256 hash.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">We recently discovered a campaign using PDF documents announcing an expired Amazon Prime membership. The PDFs link to <a href=\"https:\/\/twitter.com\/hashtag\/phishing?src=hash&amp;ref_src=twsrc%5Etfw\">#phishing<\/a> pages that impersonate Amazon. These sites ask for personal details and credit card data. More info at <a href=\"https:\/\/t.co\/e2lpm0g3NU\">https:\/\/t.co\/e2lpm0g3NU<\/a> <a href=\"https:\/\/t.co\/tbayO40I9j\">pic.twitter.com\/tbayO40I9j<\/a><\/p>\n<p>\u2014 Unit 42 (@Unit42_Intel) <a href=\"https:\/\/twitter.com\/Unit42_Intel\/status\/1883948928602644785?ref_src=twsrc%5Etfw\">January 27, 2025<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/figure>\n<p>While the security analysts at Unit42 <a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unit42-timely-threat-intel\/blob\/main\/2025-01-24-IOCs-for-phishing-campaign-impersonating-amazon.txt\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">noted<\/a> that these PDFs redirect users through a series of URLs, ultimately leading to a fraudulent site designed to capture credit card information.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 87%,rgb(169,184,195) 100%)\"><strong><code><strong><code><strong><code><strong><code><strong><code><strong><code><strong><code>Are you from SOC\/DFIR Teams? -\u00a0Analyse Malware Files &amp; Links with ANY.RUN Sandox -&gt;\u00a0<a href=\"https:\/\/any.run\/demo\/?utm_source=li_csn&amp;utm_medium=post&amp;utm_campaign=video_meme&amp;utm_content=demo&amp;utm_term=270125\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Try for Free<\/a><\/code><\/strong><\/code><\/strong><\/code><\/strong><\/code><\/strong><\/code><\/strong><\/code><\/strong><\/code><\/strong><\/p>\n<h2 class=\"wp-block-heading\"><strong>Initial Attack Vector<\/strong><\/h2>\n<p>The attack chain typically follows this pattern:-<\/p>\n<ol class=\"wp-block-list\">\n<li>Users receive an email with a PDF attachment<\/li>\n<\/ol>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgPz3m7cyBCwPbMYKBq-0bnSqzqYfkF_OVYeN0E_dI4Z4hDEBMKW9AwxhGFeV2f0FJ5wFeDaAMc3EHXRVEU3q7rrNWOeMdfEkHLj_aLqty8u9cQHjJUzpcPphAooAaHXu1zvcY0ALiaoy0ZijL9CGAVuxCpWnj-w6L3nOC53IrJvB9MANC5AwWJAxQKGtY\/s16000\/From%2520PDF%2520file%2520to%2520phishing%2520site%2520%28Source%2520-%2520X%29.webp?ssl=1\" alt=\"\"><figcaption class=\"wp-element-caption\">From PDF file to phishing site (Source \u2013 X)<\/figcaption><\/figure>\n<\/div>\n<ol start=\"2\" class=\"wp-block-list\">\n<li>The PDF contains a link to an initial URL<\/li>\n<\/ol>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj4TQetni2NFgMPiq0L-7Z5QoUkWG1Ma4ONMvk_YSgYqdtHEIlNCyVxkP5j50vHdxgziZYrhlEHjzAI4YH36YzLIVNejtxARnlpILIQhSxn8pUxJiaxRErwKd3EKs6NLM7BJXRWn_iTzvX90hOUmuOfq6uxQ4SCB-SORPxfssJYHEqCXHt65YjitobHYkU\/s16000\/Ask%2520for%2520sensitive%2520data%2520%28Source%2520-%2520X%29.webp?ssl=1\" alt=\"\"><figcaption class=\"wp-element-caption\">Ask for sensitive data (Source \u2013 X)<\/figcaption><\/figure>\n<\/div>\n<ol start=\"3\" class=\"wp-block-list\">\n<li>This URL redirects to a subdomain of duckdns[.]org<\/li>\n<\/ol>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgw5W9a3ihtX707GFz53oRLi1wZL4niUh8Vcu2I0IMUt0ndEUu7StZsABkPOt2_UGLHqeBA4qxe0MrwGI_MNv9Qf2nZRMalnmln0aOEN2C9tRLJWvkE6dotTOYy2fAh4RhmQ871iRrDpoYp9zIneTJdnqQVKrjGGf1esxRfOvG8Xcmu-ArYh_8KRa-ggw4\/s16000\/Steal%2520credit%2520card%2520data%2520%28Source%2520-%2520X%29.webp?ssl=1\" alt=\"\"><figcaption class=\"wp-element-caption\">Steal credit card data (Source \u2013 X)<\/figcaption><\/figure>\n<\/div>\n<ol start=\"4\" class=\"wp-block-list\">\n<li>The phishing site then attempts to steal credit card data<\/li>\n<\/ol>\n<p>Researchers have identified several key components of this phishing operation:<\/p>\n<ul class=\"wp-block-list\">\n<li>\n<strong>PDF Hashes<\/strong>: 31 unique SHA256 hashes have been associated with the malicious PDF files.<\/li>\n<li>\n<strong>Initial URLs<\/strong>: Most links in the PDFs point to subdomains of duckdns[.]org, with a few using redirectme[.]net.<\/li>\n<li>\n<strong>Cloaking Techniques<\/strong>: The phishing websites employ cloaking to redirect scans and analysis attempts to benign sites.<\/li>\n<\/ul>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgNtt5v5haeN7elIyqumsiuJwaC1tK3WThQ7BWOI4d812E7TrRtyK-XsWpTHlme6hd1SqnjDwKN4CkGxwd8fu1RX4U1QMte5KfYam0FcwntsXmfvUzGszZ1hC5_-6x9fON1h5M6NFQYekQsN3mbdMIANn2MU6vqtEsBu9sckIiGo-HoipkwmNBIjtJTv0o\/s16000\/Cloaking%2520script%2520%28Source%2520-%2520X%29.webp?ssl=1\" alt=\"\"><figcaption class=\"wp-element-caption\">Cloaking script (Source \u2013 X)<\/figcaption><\/figure>\n<\/div>\n<ul class=\"wp-block-list\">\n<li>\n<strong>Infrastructure<\/strong>: Domains for initial URLs and intermediate staging URLs are often hosted on the same IP addresses.<\/li>\n<\/ul>\n<p>A typical attack flow observed on January 24, 2025, proceeded as follows:-<\/p>\n<ol class=\"wp-block-list\">\n<li>hxxps[:]\/\/redixajcdkashdufzxcsfgfasd.duckdns[.]org\/CCq8SKn<\/li>\n<li>hxxps[:]\/\/ahyewifjksdhfjhjgsdfhjdsasdzxcs.duckdns[.]org\/?verify<\/li>\n<li>Multiple CSS and favicon requests to mimic legitimate Amazon pages<\/li>\n<li>Final <a href=\"https:\/\/cybersecuritynews.com\/email-phishing-playbook\/\" target=\"_blank\" rel=\"noreferrer noopener\">phishing page<\/a>: hxxps[:]\/\/ahyewifjksdhfjhjgsdfhjdsasdzxcs.duckdns[.]org\/security-check\/secure?_ts=e69618fc9<\/li>\n<\/ol>\n<p>The campaign\u2019s reach is significant, with over 1,230 new domains associated with Amazon emerging in June 2024 alone. Alarmingly, 85% of these domains were flagged as malicious or suspicious.<\/p>\n<p>This surge in domain registrations coincides with the approach of major shopping events like Amazon Prime Day, indicating the attackers\u2019 intent to capitalize on increased online shopping activity.<\/p>\n<p>To combat this threat, experts recommend taking several precautions. Carefully scrutinize URLs, especially those claiming to be from Amazon, and ensure the websites you visit use HTTPS and display a padlock icon for security.<\/p>\n<p>Be cautious of emails that urge immediate action or request sensitive information, as these may be phishing attempts. Protect your Amazon account by using strong, unique passwords and enabling <a href=\"https:\/\/cybersecuritynews.com\/microsoft-multi-factor-authentication-issue\/\" target=\"_blank\" rel=\"noreferrer noopener\">multi-factor authentication<\/a> whenever possible.<\/p>\n<p>Amazon has stated that it initiated takedowns of more than 40,000 phishing websites and 10,000 phone numbers used in impersonation schemes in 2023.<\/p>\n<p>The company also employs advanced <a href=\"https:\/\/cybersecuritynews.com\/best-practices-for-email-security-headers\/\" target=\"_blank\" rel=\"noreferrer noopener\">email verification<\/a> technology to help customers identify authentic Amazon communications.<\/p>\n<p>By staying informed and following best security practices, shoppers can better protect themselves from falling victim to such scams.<\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/new-phishing-campaign-mimic-amazon-prime-membership\/\">New Phishing Campaign Mimic Amazon Prime Membership To Steal Credit Card Data<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/new-phishing-campaign-mimic-amazon-prime-membership\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New Phishing Campaign Mimic Amazon Prime Membership To Steal Credit Card Data A sophisticated phishing campaign targeting Amazon Prime members has been uncovered, aiming to steal credit card information and other sensitive data. Cybersecurity experts have identified a complex attack chain that leverages PDF attachments, redirects, and cleverly crafted phishing sites to deceive unsuspecting victims. [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[63,124,649],"tags":[130],"class_list":["post-1581","post","type-post","status-publish","format-standard","hentry","category-cyber-security-news","category-phishing","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/1581"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=1581"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/1581\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=1581"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=1581"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=1581"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}