Home > HUAWEI > Vishing attacks spoof Amazon to try to steal your credit card information

Vishing attacks spoof Amazon to try to steal your credit card information

Vishing attacks spoof Amazon to try to steal your credit card information

The attacks used fake order receipts and phone numbers in an attempt to steal credit card details from unsuspecting victims, says Armorblox.

A standard phishing campaign uses email to try to trick people into divulging confidential information. But attackers are increasingly employing a variant of that ploy known as vishing, short for voice phishing. In a vishing attack, the scammer still impersonates someone from a trusted company but uses a phone call as the weapon of choice.

SEE:Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

In some cases, the attacker calls or leaves a voicemail message for the intended victim. In other cases, the criminal sends an email with a contact phone number urging the recipient to call that number. Whatever method is used, the attacker relies on savvy social engineering tactics to convince the person to provide financial or account information during the phone call.

Vishing attacks spoof Amazon to try to steal your credit card information

In a report published Thursday, cybersecurity firm Armorblox looked at two recent vishing campaigns that spoofed Amazon as a way to capture credit card details.

First campaign

In the first campaign, an email sent from a Gmail account used the subject line of “Invoice:ID” followed by a long and seemingly legitimate invoice number. The message spoofed the look and layout of an actual Amazon email and referenced an LG OLED TV and XBOX console allegedly bought by the recipient.

The real threat in the email was a “Contact Us” phone number in the body of the message. When researchers from Armorblox called this number, a real person answered the call, pretending to be from Amazon. That person asked for an order number, name and credit card details before becoming wise and hanging up.

Second campaign

In the second campaign, an email was sent using an address of no-reply@amzeinfo.com, which at first glance looks like an actual Amazon address. Titled “A shipment with goods is being delivered,” the message carried a random order number to seem more legitimate.

As with the first email, this one included a phone number, asking people to call if they wanted to return the items in question. In this case, Armorblox researchers who called the number initially ran into an endless ringtone and eventually no answer, indicating that the number had been taken down. However, the attackers could easily set up another number to restart the campaign.

Both emails received a Spam Confidence Level (SCL) of ‘1’ from Microsoft’s Exchange Online Protection (EOP), which meant the messages were not considered spam and were sent to the inboxes of the intended recipients.

How to protect yourself

To help your organization fend off vishing attacks and other threats, Armorblox serves up four pieces of advice.

Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Delivered Tuesdays and ThursdaysSign up todayLance Whitney Published: Modified:See more Security

Also See

Share: Vishing attacks spoof Amazon to try to steal your credit card informationByLance WhitneyLance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.

Editor's Picks

Prev: Amazon app quiz for August 12, 2021: Check answers to win ₹20,000; know how to participate

Next: Best 5G Smartphones Under Rs 30K Mark In India 2022: OnePlus, Realme, And More