Vishing attacks spoof Amazon to try to steal your credit card information
The attacks used fake order receipts and phone numbers in an attempt to steal credit card details from unsuspecting victims, says Armorblox.
A standard phishing campaign uses email to try to trick people into divulging confidential information. But attackers are increasingly employing a variant of that ploy known as vishing, short for voice phishing. In a vishing attack, the scammer still impersonates someone from a trusted company but uses a phone call as the weapon of choice.
SEE:Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
In some cases, the attacker calls or leaves a voicemail message for the intended victim. In other cases, the criminal sends an email with a contact phone number urging the recipient to call that number. Whatever method is used, the attacker relies on savvy social engineering tactics to convince the person to provide financial or account information during the phone call.
In a report published Thursday, cybersecurity firm Armorblox looked at two recent vishing campaigns that spoofed Amazon as a way to capture credit card details.
In the first campaign, an email sent from a Gmail account used the subject line of “Invoice:ID” followed by a long and seemingly legitimate invoice number. The message spoofed the look and layout of an actual Amazon email and referenced an LG OLED TV and XBOX console allegedly bought by the recipient.
The real threat in the email was a “Contact Us” phone number in the body of the message. When researchers from Armorblox called this number, a real person answered the call, pretending to be from Amazon. That person asked for an order number, name and credit card details before becoming wise and hanging up.
In the second campaign, an email was sent using an address of firstname.lastname@example.org, which at first glance looks like an actual Amazon address. Titled “A shipment with goods is being delivered,” the message carried a random order number to seem more legitimate.
As with the first email, this one included a phone number, asking people to call if they wanted to return the items in question. In this case, Armorblox researchers who called the number initially ran into an endless ringtone and eventually no answer, indicating that the number had been taken down. However, the attackers could easily set up another number to restart the campaign.
Both emails received a Spam Confidence Level (SCL) of ‘1’ from Microsoft’s Exchange Online Protection (EOP), which meant the messages were not considered spam and were sent to the inboxes of the intended recipients.
How to protect yourself
To help your organization fend off vishing attacks and other threats, Armorblox serves up four pieces of advice.
Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.Delivered Tuesdays and ThursdaysSign up todayLance Whitney Published: Modified:See more Security