As users gear up to find the best deals ahead of Amazon Prime Day Sale 2019, security researchers Oliver Devane and Rafael Pena of McAfee Labs have discovered a critical phishing threat that has been targeting Amazon users since May 2019, called 16Shop. According to the discovery, the tool has been previously used against Apple users, wherein it created a fake login page and urged users to re-enter credit card details, thereby leading to financial theft.
The McAfee researchers have noted that while the 16Shop phishing tool may not be operated by the same person as before, it appears to be an identical copy of the one that affected many Apple users worldwide. Previously operated by an Indonesian hacker who goes under the alias of 'DevilScreaM', the 16Shop phishing tool is claimed to have been marketed to vendors through a closed Facebook group as well, which in turn may have resulted in more attackers using it to target large-scale websites such as Amazon. While USA and Indonesia are known to be the targeted markets so far, it is not clear if Indian websites are also being targeted now.
According to the information revealed so far, the 16Shop tool uses multiple domains that replicate an Amazon login screen in order to steal credentials of a users, and subsequently, previously added credit or debit card data. This can prove to be incredibly fatal, since the Amazon Prime Day Sale typically sees millions of users accessing the e-commerce giant's portal to avail time-bound deals and discounts, and often end up spending a significant chunk of money during this period. Seeing that Amazon is slated to experience a higher amount of activity than usual, it is imperative that users remain more cautious than ever.
The most certain fix for users across the world is to not access any URL that offers an Amazon login interface, apart from the official URL itself. Emails sent with offers, or prompts that state that a user's account credentials have been suddenly reset or locked (like the 16Shop attackers did with Apple) are best left untouched and deleted. According to the McAfee Labs blog post, the following six URLs are being used to lure users into a trap, and for the sake of safety, users should add these addresses to the blacklist of whichever firewall they are using.
The URLs are: (warning: Do not click on any of these addresses, or access voluntarily)
verification-amazonaccess.secure.dragnet404.com/
verification-amazon.servicesinit-id.com/
verification-amazonlocked.securesystem.waktuakumaleswaecdvhb.com/
verification-amazonaccess.jaremaubalenxzbhcvhsd.business/
verification-amazon.3utilities.com/
verification-amaz0n.com/
Devane and Pena conclude their alert against this recent threat by stating, "During our monitoring, we observed over 200 Malicious URLs serving this phishing kit which highlights its widespread use. This demonstrates how malicious actors use legitimate companies to leverage their attacks and gain victims’ trust and it is expected that these kinds of groups will use other companies as bait in the future."
Comments
0 comment