While the majority of tech-savvy internet users would see straight through most phishing attempts designed to coax unwitting internet users into parting with sensitive credentials, these scams have persisted online – and online shopping giant Amazon is the latest big brand to be exploited by cyber-criminals.
In a report, security firm Malwarebytes has outlined a phishing scam that hit Amazon.com users that tried to entice recipients with the chance of winning £10 in return for filling out a short survey. The email, claiming to be from 'members support', instead contained a malicious link to a web page that would scoop up login details.
"As a valued customer we would like to present you with an opportunity to make a quick buck," the fake Amazon email wrote. "We are offering £10 each to a selected number of customers in exchange for completing a quick survey relating to our service. Your opinions and thoughts are vital in order for us to provide the best possible service. Please press the link below to get started."
If clicked, the link would redirect a user to a page carefully constructed to mirror Amazon's login system that requests a user's address, phone number, security question and credit card details. While Malwarebytes reported that the initial redirection website is currently offline, the firm has warned that it is extremely likely to resurface in the near future.
"Phishing can have immediate consequences, more often than not the worst case scenario being financial theft," Christopher Boyd, intelligence analyst at Malwarebytes, told the IBTimes UK.
"Many phishes are quite subtle and look to extract considerable personal information over time. From there, scammers can hook themselves into many aspects of a victim's day to day life and, when the time is right, cause maximum damage. If you re-use passwords across multiple sites, you're only making it easier for them and one stolen login can often equal all of your accounts taken in one fell swoop."
Boyd, who advised Amazon users to remember to look for the green padlock icon before entering any sensitive data into the website, also warned that https encryption isn't used across the entirety of Amazon. Yet in a welcome move, protection against such phishing attempts is on the rise. "The anti-phishing protection built into most modern browsers is generally very good, and we advise everyone to keep that browser feature enabled whenever possible," he added.
It's not the first time that Amazon has been caught up in such an attack. Last year, a convincing malware scam was discovered in circulation that attempted to trick users into thinking their account had been hacked, and that someone was using their credit card details to purchase a 16GB iPhone 6. Notably, the spammer went to a great deal of trouble to set up an exact replica of Amazon's legitimate order-confirmation email.