July 15, 2007Amazon.com--Phish or Phor Real?
I had posted the following on July 12, 2007:
I am currently investigating a potentially serious issue of an email message that—by all hallmarks in the message headers and URL in the body source code of the message—looks to come from Amazon.com. The message subject concerns the account password. The problem is, Amazon.com has no record of sending that message.
Until I can get a resolution about what's going on, my advice is to not follow any link in any email message you receive from Amazon.com. Instead, visit the site through other means (e.g., bookmark, or typing the amazon.com URL into the browser's Address field), then log onto your account only through the web site.
Here is the message that started this whole mess:
Date: 12 Jul 2007 09:05:45 -0700
From: "email@example.com" <firstname.lastname@example.org>
Subject: Amazon.com Password Assistance
Greetings from Amazon.com.
Click the link below to go to Step 3 to reset your password using our
https://www.amazon.com/gp/css/account/forgot-password/redeem-forgotten-password-token.html?token=[47-character string deleted]
If clicking doesn't seem to work, you can copy and paste the link into your browser's address window, or retype it there. Once you have returned to Amazon.com, we will give instructions for resetting your password.
Thank you for visiting Amazon.com!
At first glance—without looking at the message's headers or source code—it looked like a fairly typical attempt at phishing for my username and password. There was no information in the body that contained personalized data, such as my name, or anything else about my account. And then there's the recommendation to click on the link. Needless to say, phishing phlags were waving all around this one.
Looking further into the matter, I checked the message's headers. The only absolutely unforged line is the Received: header line written to the message by my own email server. It read:
Received: from mm-notify-out-1102.amazon.com (mm-notify-out-1102.amazon.com [22.214.171.124]) by dannyg.com (126.96.36.19960614) id l6CG5nXk091012 for <[removed]@dannyg.com>; Thu, 12 Jul 2007 10:05:50 -0600 (MDT)
The IP address in square brackets is the address that the sending server used to identify itself for the email transaction. My email server did a reverse DNS (rDNS) lookup of that IP address, and showed the identity right before the square brackets (inside the parentheses):
mm-notify-out-1102.amazon.com. That sure looked like a real amazon.com server, and it matched the way the server identified itself during the transaction (the server name right after "Received: from").
I had never encountered a forging of rDNS in a phishing message, but I was open to the possibility. As one more check, I did my own DNS search on the IP address. That IP is, indeed, within a very large block owned by Amazon. There was no doubt in my mind that this message originated from a real amazon.com server.
What about the link in the message body? The URL was not one of those phony HTML tricks, where the body author writes one URL for display, but the HTML is coded with an entirely different URL to an Evil Site. In fact, this message was not delivered as HTML, but as plain text (how I like 'em). The destination of the link was to the real amazon.com web site.
At this point, everything pointed to the message being legitimate. The problem, however, is that I had not been trying to log into my account prior to receiving this message. This is precisely the type of message I would expect to receive from amazon.com if I had forgotten my password and clicked the "Forgot password?" link at a login page. But I didn't click that link.
That led me to the next obvious thought: Someone had been trying to access my account (trying to break my password). Either he clicked the link, or (less likely, and I hope not) perhaps amazon's server is set up to reset the password after a certain number of failed attempts.
This came to mind because of an incident I had with Paypal a while back. Paypal refused to let me access my account. It turned out that someone had been trying to hack into my account. After a fixed number of failed attempts, Paypal simply blocked all access to the account. A phone call to their support folks revealed that the login attempts came from IP addresses far from my own.
To verify that everything was still OK at Amazon, I wasn't going to use the link supplied in the message just yet. Instead, I visited amazon.com my usual way, and logged in through the usual process. Everything worked fine.
I contacted Amazon's support department through its email system. Because I didn't suspect the message as being a phishing message, I didn't bother sending along a copy. But I did ask if someone had been trying to log into my account earlier that morning; if so, what were the IP addresses? In fact, here is what I submitted:
I received a Password Assistance notification (truly from amazon.com, mailed from mm-notify-out-1102.amazon.com [188.8.131.52]) as if I had clicked on the "forgot password" link. But I had not tried to log into my account in the hours prior to that email message.
This makes be believe that someone may have tried to hack into my
account. I am able to access my account with my original password,
so no changes are needed.
Do you have a record of attempts to log into my account from 0600-
0915 PDT on 12 July 2007? If so do you have the IP addresses of
Here's the response I received:
Thank you for writing to us at Amazon.com.
The e-mail you received was not from Amazon.com. We are
investigating the situation, and we appreciate you letting us know
that you received this.
[Tons more stuff on phishing omitted.]
Whoa! Stop! Halt! Not from Amazon.com? WTF?
Time to get on the phone to Amazon. Of course, when you get on the phone to Amazon, you're actually tunneling your way to south Asia via VOIP—the type of support call connection I've grown to dislike.
The call taker was courteous (almost too courteous, if you know what I mean), and repeated back to me almost everything I said (assuming she's typing madly into her terminal). After a bit of checking, she was able to look into the record of email messages sent to me by Amazon. That's a nice tracking system, to say the least. But the bottom line was that Amazon had no record of having sent me the password assistance message.
My Amazon lady didn't seem very concerned, but I certainly was—for Amazon's sake, not mine. By all indications, somehow someone managed to get Amazon's real email server to send a potential phishing message to one of its real customers. Was the destination link perhaps some rogue directory on Amazon's web server that could get unsuspecting visitors to give away their usernames and passwords right under Amazon's nose? When you've learned about as much cyber-criminal activity on the Internet as I have, the scenario machine can go into overdrive.
As I've lamented many times before, it's next to impossible for an ordinary citizen to get potentially valuable security issues in front of the right people quickly at large organizations. It's as if they believe their systems are infallible, and thus there is no reason for anyone outside the company to make contact except for things like checking on an order.
Figuring that my best approach would be to follow procedure, I walked through Amazon's phishing pages—after all, Amazon, itself, told me this was a phishing message. I submitted the full deal, in an effort to demonstrate that this message really did come from Amazon, and they didn't know it.
While I slept, the following response arrived:
Thank you for contacting us at Amazon.com.
We apologize for any concern our recent e-mail regarding your Amazon
password may have caused.
This e-mail was sent in error, and you may safely ignore it if you did
not request a password change.
If you clicked the link in the e-mail and entered a new password, this
change will be reflected in your Amazon account, and you'll need to
use this new password to access your Amazon account.
Thank you for shopping at Amazon.com.
The message was sent in error? That's all there is to it? I got all worked up for nothing?
On the one hand, that response really popped my balloon; on the other hand, I'm glad that Amazon thinks everything is cool with their system, and that no one had been attacking my account. Maybe my issue helped them find a gap or bug somewhere in their system. I'll never know, and large companies like this aren't likely to disclose such issues. Amazon's customer service inquiry responses exhibit a strange kind of detached, unemotional character. I don't think this last one was a canned response, but it feels rather robotic, doesn't it?
And thus ends a rather large non-event. I still won't click on that link—my password is working fine, thank you.
It's clear that I go to extremes before accepting an unexpected email message as valid, but I make no apologies for my suspicions. If the rest of the emailing public were only half as suspicious, there would be fewer compromised personal identities and PCs in the world.