Research details how cybercriminals are targeting retail giants’ customers

Online shoppers are urged to watch out for scammers targeting Amazon's Prime Day

Online shoppers are urged to be on the lookout for fake websites and phishing scams targeting Amazon customers today.

Amazon’s annual Prime Day, which sees the retail giant offer discounts on thousands of items, takes place today and tomorrow (October 13-14).

New research from fraud prevention firm Bolster has detailed how scammers are targeting Prime customers with phishing campaigns and fraudulent websites.

“As shoppers gear up for two days of great deals, cyber criminals are prepping to prey on the unwary, taking advantage of those who let their guard down to snap up bargains,” the company said in a blog post.

Researchers claim that cybercrooks are using fake Amazon branding to lure shoppers into clicking links in phishing emails.

The number of fraudulent websites that make use of the e-commerce company’s branding increased dramatically between August and September, Bolster said.

The number of Amazon phishing sites is on the riseThe number of Amazon phishing sites is on the rise

One webpage copied headers, footers, and other graphics from Amazon’s legitimate website, researchers wrote.

It prompts customers to fill in a form confirming their payment details, but although the website looks authentic, none of the other links on the page work.

Another indicator is the amount of information the form asks for, including the victim’s Social Security number, date of birth, mother’s maiden name, and CVV number.

No such thing as a free lunch

Other scams currently doing the rounds include websites offering a free iPhone 11 Pro for survey participants. The victims are asked a number of questions and are told to enter their credit card details to activate their competition entry.

The blog post reads: “Of course they win, and are required to enter credit card information for a $1 to receive the iPhone 11 Pro.

“The site claims the phone will be delivered by courier in 5-7 days. In the following screen shot, the free iPhone is validated by many others who have already received their phones.

“Despite the glowing reviews, the $999 phone will never arrive, and the shopper begin to see strange charges on the credit card number provided.”

A fake website discovered by Bolster researchersA fake website discovered by Bolster researchers

Stay sharp: How to avoid Amazon Prime Day scams

The fake websites were uncovered using a tool built by Bolster researchers which they said uses artificial intelligence to determine whether a site is real or fake.

Bolster offered tips to customers hoping to take advantage of Prime Day, including shopping directly from the source.

“One way to avoid Prime Day scams is to go direct to the source. Don’t start shopping through email links to avoid fraudulent sites,” researchers advised.

Read more of the latest retail security news

Shoppers should also be on the lookout for any mistakes on a website claiming to be affiliated with Amazon.

“Fraudulent sites are created quickly for specific campaigns. Though they appear close to the real site, they miss certain details,” the post reads.

“For example, fraudulent sites will not link the upper left logo to the real site because to keep the user on the fake page. Other details revealing a fake site are blurry images, logos or misplaced buttons.”

Attackers are targeting e-commerce website AmazonAttackers are targeting e-commerce website Amazon

Tapping into search demand

Jeremy Hendy, CEO at cybersecurity firm Skurio, said would-be cybercriminals are likely targeting Prime Day because of the huge volumes of web traffic it generates.

Hendy told The Daily Swig: “These attacks are usually months in the planning, with cybercriminals making use of the huge volumes of breached data that are already available.

“The most common scams we see are techniques such as fake websites using typosquat domains, as well as hackers attempting to harvest peoples card details and credentials.

READ MORE Touch and Go: Contactless payment security controls defeated by researchers

“This information can be used to gain unauthorized access to corporate networks, make use of fraudulent credit card details, or simply scrape more customer data that can be resold again on the dark web. Vigilance is very much the watch word in such a busy period for the retail industry.”

Hendy advised shoppers to pay careful attention to a website’s URL and to be aware of any emails or text messages claiming that their Amazon accounts have been compromised.

He added: “Never give a third party permission to move funds or details of a new payment method over the phone as phone and SMS attacks are on the increase with spammers spoofing the name and number of a legitimate businesses.

“As a result, consumers must make sure to contact their bank to legitimize the transaction before transferring any money or data.”

YOU MAY ALSO LIKE Researchers discover scores of security bugs in Apple’s stem and core