Saturday, February 8, 2025
HomeCyber Security NewsNew Phishing Scam Targets Amazon Prime Membership to Steal Credit Card Data

New Phishing Scam Targets Amazon Prime Membership to Steal Credit Card Data

Published on

SIEM as a Service

Follow Us on Google News

A recent investigation has uncovered a sophisticated phishing campaign leveraging malicious PDF files to redirect unsuspecting users to fake Amazon-branded phishing websites.

Researchers from Unit 42 reported that this campaign utilizes PDFs containing embedded links as an initial lure to compromise users and steal sensitive information such as login credentials and credit card details.

Attack Chain Overview

The phishing operation begins with a targeted email containing a PDF attachment to victims.

Upon opening the document, users encounter a clickable link leading to an “Initial URL.”

This URL subsequently redirects users to subdomains hosted on duckdns[.]org, which serve as an entry point to the phishing infrastructure.

Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

The malicious websites are designed to impersonate Amazon’s login and payment pages.

What sets this campaign apart is the use of cloaking techniques. When systems like anti-virus software or sandboxes attempt to analyze these URLs, the phishing domains redirect them to benign pages, thereby evading detection.

The PDF samples analyzed during the investigation had not been submitted to VirusTotal, further emphasizing their novel and targeted nature.

Additionally, most of the URLs, including intermediate links, are hosted on the same IP address, indicating a coordinated operation.

Technical Details

During the analysis, researchers identified 31 unique PDF files associated with this campaign.

Each file contained links to deceptive domains, including subdomains such as redirjhmxnasmdhuewfmkxchbnvjxfasdfasd.duckdns[.]org.

Once users clicked on these links, they were redirected through a chain of URLs before landing on a phishing site.

The URLs mimicked legitimate Amazon branding and included detailed steps to capture login, security, and billing information.

Notably, the phishing domains used a phishing kit suspected to be either newly developed or a modified version of an existing one.

One particular SHA256 hash corresponding to the kit was identified: d49e6ae0d4887490c18ef9a2d2a1b658e3164a08a2d22a1fb535bd237b594f20.

This kit enabled the attackers to construct convincing Amazon-like login pages and process user input such as passwords and payment credentials.

An example sequence of the phishing flow includes links such as:

  1. hxxps[:]//redixajcdkashdufzxcsfgfasd.duckdns[.]org/CCq8SKn
  2. hxxps[:]//ahyewifjksdhfjhjgsdfhjdsasdzxcs.duckdns[.]org/security-check/signin/process
  3. hxxps[:]//ahyewifjksdhfjhjgsdfhjdsasdzxcs.duckdns[.]org/security-check/payment/

Each step progressively mimics legitimate Amazon processes, leading victims to confidently provide sensitive information.

This campaign serves as a stark reminder of the evolving tactics adopted by cybercriminals. With the use of decoy PDF documents and obfuscation techniques, such as cloaking, attackers are becoming more difficult to detect.

Organizations are advised to enhance email filtering mechanisms, educate users about identifying malicious attachments, and frequently update blacklists for domains such as duckdns[.]org.

Meanwhile, researchers continue to monitor the infrastructure for further developments, urging users to remain vigilant.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Hackers Leveraging Image & Video Attachments to Deliver Malware

Cybercriminals are increasingly exploiting image and video files to deliver malware, leveraging advanced techniques...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...