Amazon Prime Day shoppers targeted with malware and phishing campaigns

The annual Amazon Prime Day from Amazon.com Inc. is attracting the interest of cybercriminals who are attempting to compromise shoppers.

The annual event, which was delayed earlier this year due to COVID-19, is being actively used to attack users with emails and SMS text messages offering fake deals in an effort to trick users into downloading malware or phishing their Amazon accounts by impersonating someone the account owner knows.

Those warnings are echoed in research from Bolster Inc. and Check Point Software Technologies Ltd. Both warn that there has been an alarming increase in the number of registered Amazon-related domains that are malicious. Cybercriminals use fake sites as part of phishing scams.

Shashi Prakash, chief technology officer at Bolster, a company that provides deep learning-based fraud prevention, told SiliconANGLE that the enormous spike in phishing and fraud sites in September is a strong indication that cybercriminals will be active and will try to capitalize on the Prime Day frenzy. "Shoppers need to stay vigilant to avoid giving out their personal information or purchasing products on fraudulent sites for things they will never receive," he said.

Hank Schless, senior manager of security solutions at mobile security solutions firm Lookout Inc., compared the situation to COVID-19-related scams earlier this year. "It makes sense that there would be an increase in Amazon-related URLs, especially at a time when online shopping has become the primary way people buy things," he said.

Brandon Hoffman, chief information security officer at information technology services management firm Netenrich Inc., noted that the Prime Day event presents a unique opportunity for cybercriminals because it will focus on special deals. "This creates a situation where people may be scrambling to get a special deal on something and it may allow them to overlook common suspicious activity," he said.

In particular, Hoffman said, so-called "malvertising" links for Amazon deals can lead to malware or phishing attempts offering early access or special deals. "Users should be careful and operate specifically within the Amazon website or Amazon apps rather than clicking on advertisements or emails, unless the email has been scrutinized or verified," he said.

Indeed, the volume of emails during the holidays is a problem, said Steve Durbin, managing director of information security body the Information Security Forum, who explained that the volume of emails is an issue. "Our appetite for information is immense and cybercriminals know this," Durbin said. "Therefore, there may be attachments or links that offer more details or information and encourage us to click before thinking. Very few communications with these links or attachments will be anything other than scams and should be avoided."