Threat Insights
Rating Criteria
As Black Friday approaches, customers will be turning their attention to the large discounts and promotions offered by e-commerce platforms. Unfortunately, with the convenience of online shopping, cybercriminals will take advantage of exploiting unsuspecting shoppers during this time. One of the most common tactics used by scammers is brand impersonation conducted through emails.
Cellopoint recently intercepted a phishing email impersonating Amazon Japan. We’ll use this example to explain how Amazon phishing emails and brand impersonation work.
How do Phishing Emails and Brand Impersonation Work?
Phishing email is a form of phishing in which thousands of fraudulent emails are sent to specific or unspecified recipients by attackers. These emails often include compelling or urgent messages to trick recipients into taking actions, for example, clicking a link or opening an attachment that will direct the recipients to a malicious link, such as a phishing website, in attempt to steal personal details. Phishers may also attempt to lure users to install malware in order to obtain the victims’ confidential information, such as credit card numbers and login credentials, or/and to download ransomware to have control of their computers to demand a ransom or encrypt their computer data for other malicious uses.
Brand impersonation is a type of phishing attack in which cybercriminals create fake emails and pose as a well-known, trusted brand, organization, or service provider to trick recipients into sharing personal details, login credentials, money and other valuable information. Based on the trust in brand, users can easily fall victim to brand impersonation as the emails appear to come from a trustworthy brand and follow instructions from the phishing emails without any suspicion.
Phishing Example: Cellopoint-identified Email Impersonating Amazon, a Well-known E-commerce Giant
In this email, although the sender’s display name “amazon.co.jp” looks legitimate, the sender address “info-lqmbbkikvkzmqhck@mail.my.softbank.com” is not an Amazon official email address (see the figure below). In fact, a part of the sender domain “softbank” indicates a Japanese holding company engaging in telecommunications and media industries, Softbank (ソフトバンクグループ株式会社), is not affiliated with Amazon.
The email content is in Japanese which appears to be consistent with the sender amazon.co.jp. The email message claims that the account is subjected to a regular system check and needs to be verified. However, if a unsuspecting victim clicks on the button “Amazon.co.jp”, the victim will be directed to a fraudulent login website requesting personal information (see the figure below).
Additionally, as shown in the figure above, you can see from the email source code that this email was sent from IP 43.157.195.32 and sender’s server VM-4-16-centos.localdomain. Normally, a safe sender’s server has a normal domain name, but not a domain name like localdomain. Also, if the email is legitimate and sent from Amazon services, the sender’s server must have a complete domain name. Another unusual sign of this email is that the IP 43.157.195.32 belongs to TENCENT-NET-AP-CN Tencent Building, which is under the Tencent’s hosting IP address and not an Amazon’s IP address.
In a nutshell, here are four signs of this email being abnormal/suspicious:
The sender’s name Amazon is inconsistent with the sender’s domain
The button in this email will direct the recipient to a malicious link, in an attempt to steal personal information
Sender’s server name is unusual
The sender’s IP address does not match Amazon’s legitimate IP address
To identify malicious emails and prevent them from reaching end users’ inboxes, Cellopoint provides a comprehensive email security solution.
How Does Cellopoint Identify This Brand Impersonation Phishing Attack?
This email format is similar to a normal EDM. Cellopoint’s Anti-APT-URL module scans unknown, suspicious links embedded in emails, and hence is able to detect and block this email in real time. Cellopoint will further record and learn the threat pattern of the email, and update the brand impersonation threat intelligence, for example, TLD, to our threat intelligence center for threat matching in the future. In addition, Cellopoint shares impersonation threat intelligence with Anti-APT-URL module to enable Anti-APT-URL module to identify unknown, spoofed URLs and provide high threat scores accordingly. This threat intelligence sharing mechanism is also applied to Cellopoint’s Email Threat Protection to stop emerging phishing emails.
Last but not least, here are some reminders for you. If you receive this kind of email but have never shopped via Amazon Japan website, you should not interact with this kind of email at all. Even if you have shopped via Amazon Japan before, you shouldn’t be unsuspecting to the warning wordings requesting you to click on the button to verify your account, and should be more vigilant about suspicious emails. We also recommend you to check the email legitimacy with the official website and do not click on any button or link in an email right away to avoid falling victim to phishing.