Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Black Friday themed Amazon Voucher scam

Xue Yang, Security Researcher, Websense | Nov. 28, 2014
The Websense ThreatSeeker Intelligence Cloud has detected Amazon voucher scams using Black Friday Gift Card themes as a lure.

The Websense ThreatSeeker Intelligence Cloud has detected Amazon voucher scams using Black Friday Gift Card themes as a lure. We have observed a surge of over 20,000 spam emails with the subject of "Amazon Black Friday Gift Card #XXXXXXXXX" since Thursday 20th November (where "X" signifies the use of random digits in the email subject).

As Thanksgiving Day is just around the corner, the shopping season is also here, and it appears that cybercriminals are going to take full advantage of this chance to spread spam scams and increase their illegal revenues, utilizing well-known, and trusted, brands such as Amazon.

Executive Summary

  • When a user clicks on "Activate My Amazon.com Rewards", it will redirect them to a survey page which advertises a reward for filling out the survey.
  • Users are encouraged to submit their personal information.
  • The pages were designed to serve different language versions according to the victim's geographical location.

Websense customers are protected from this threat by ACE, our Advanced Classification Engine, at the following stages of the attack:

  • Stage 2 (Lure) - ACE has detection for the email lures & the URLs used in these lures.
  • Stage 3 (Redirect)- ACE has detection for the redirect pattern that occurs if a user visits one of these URLs, and for the survey scam pages themselves.

"While there's lots of news about advanced attacks and data breaches, let's not forget that themed scams are still prevalent, especially around national holidays and high-profile events. When the phrase 'too good to be true' springs to mind, my advice to users would be, do not click. High volume attacks targeting user credentials are not new, yet spammers are still clearly seeing value as users are still falling for the voucher trick. Whilst these campaigns are usually not malicious by nature they pose a significant risk to users who may give out personal information, making them a more viable target for future attacks , said Carl Leonard, Principal Security Analyst, Websense.

One email sample with this Amazon theme:

http://community.websense.com/resized-image.ashx/__size/550x0/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/0652.Amazon5.jpg

The links in this email campaign have a common pattern:

http://community.websense.com/resized-image.ashx/__size/550x0/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/1055.Amazon11.JPG

Chinese-based version:

http://community.websense.com/resized-image.ashx/__size/550x0/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/6355.Amazon3.JPG

US-based version:

http://community.websense.com/resized-image.ashx/__size/550x0/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/5355.Amazon7.JPG

After the victim completes the survey steps, it finally asks them to select a reward. However, you have to fill out personal information in order to do so. Obviously there is no free voucher at all, and the survey here blatantly engages in illegal methods to advertise and generate traffic to a web site that earns the cybercriminal money.

http://community.websense.com/resized-image.ashx/__size/550x0/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/7411.Amazon10.jpg

Thus, this is the true nature of the scam. The aim of the lure is to generate revenue as part of a Cost Per Action(CPA) lead scam. This is a technique that we have been tracking for some time, as our previous blogs show.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.