New Phishing Attack Impersonates Amazon Prime membership to Steal Credit Card Data

A new phishing campaign impersonating Amazon has come to light, leveraging malicious PDF attachments in email phishing attempts.

Researchers Vishwa Thothathri, Aiden Huang, and Shehroze Farooqi recently uncovered this operation, which involves the distribution of PDF files containing links that redirect users to phishing sites designed to steal sensitive information, including credit card details.

The campaign starts with phishing emails containing malicious PDF attachments.

Clicking on the links embedded in these PDFs takes users to initial URLs, which further redirect to phishing pages hosted on subdomains of “duckdns[.]org.”

A total of 31 unique PDFs were analyzed during the investigation, none of which had been previously submitted to VirusTotal.

This highlights the attackers’ attempt to evade detection by antivirus solutions.

The URLs embedded within these PDF files redirect to cloaked phishing websites, ensuring automated scanners and threat analysis tools are directed to benign domains, while unsuspecting users land on malicious sites.

The phishing sites mimic Amazon’s login and payment pages, deceiving users into entering their login credentials and payment information.

The domains used for these attacks are hosted on the same IP address, suggesting centralized control by the attackers. Further analysis revealed shared hosting infrastructure across the campaign.

Example of the URL Redirection Chain

In one instance observed on January 24, 2025, a link in the PDF redirected to a sequence of URLs leading to a phishing page requesting sensitive data.

The URL flow began at hxxps[:]//redixajcdkashdufzxcsfgfasd.duckdns[.]org/CCq8SKn and followed multiple intermediate redirects, ultimately landing on pages requesting Amazon login credentials and credit card details.

These phishing pages utilized additional assets like CSS, JavaScript libraries, and images to closely resemble Amazon’s legitimate interface.

The phishing sites also employed advanced cloaking techniques, redirecting automated scans to non-malicious domains while ensuring targeted victims were directed to phishing pages.

Associated Artifacts

The researchers identified 31 PDF files associated with the campaign, alongside their SHA256 hashes.

Additionally, a phishing kit suspected to have been used or modified for this activity was identified, bearing the hash d49e6ae0d4887490c18ef9a2d2a1b658e3164a08a2d22a1fb535bd237b594f20.

Links traced from the PDFs included URLs hosted on “duckdns[.]org” and “redirectme[.]net.”

This campaign underscores the importance of verifying the authenticity of email attachments and links, especially those claiming to be from trusted organizations like Amazon.

Organizations and users are advised to remain vigilant and deploy robust email filtering, URL scanning, and endpoint protection tools to mitigate the risk of such phishing attempts.

Also Read:

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here