An Amazon phishing campaign is accidentally sending out links that lead straight to the attacker’s remote access console, according to Paul Ducklin at Naked Security. Ducklin explains that Sophos came across a generic Amazon Prime phishing email which informed recipients that their Amazon account had been suspended. The email contained a link for the user to verify their account by updating their card number and billing address.
The email wasn’t particularly convincing or well-written, but the Sophos researchers followed the link to see where it would take them. The link first redirected them through two legitimate WordPress sites, which had apparently been hacked by the attacker to use as stepping stones before the actual phishing site. This is a common tactic to avoid being detected by spam filters.
After this, the attacker presumably intended to send the victim to a phishing page that would try to steal their Amazon credentials and financial details. However, the attacker seems to have made a disastrous mistake and instead used the URL to the console that controlled the hacked WordPress sites.
The attacker had planted a small, obscure PHP file on each compromised site that granted them direct access to the site’s files and allowed them to do things that even the WordPress administrator couldn’t do.
“In other words, the crooks have set things up so they can sidestep the WordPress administration console entirely,” Ducklin explains. “They don’t need a password; they won’t get logged by the WordPress system; and they can add and modify files that WordPress wouldn’t normally allow, essentially allowing them to hide content such as phishing pages and malware downloads in plain sight.”
It’s not clear how the attacker compromised these sites in the first place, but Ducklin notes that outdated and vulnerable WordPress plugins are a frequent entry point. Ducklin says the story demonstrates the importance of good security practices for website administrators as well as for regular users. Even a minor website can have value to criminals as a staging area for future crimes.
“If your site gets hacked, you’ll probably end up blocklisted,” he writes. “Once the crooks start using your website to host malicious content, you are likely to end up getting blocked or filtered by security products and the major browsers.”
New-school security awareness training can create a culture of security within your organization by teaching all of your employees to follow security best practices.
Naked Security has the story: https://nakedsecurity.sophos.com/2020/02/21/the-amazon-prime-phishing-attack-that-wasnt/