« A Scary Halloween | Main | Are Dictionary Attackers Getting Desperate? »

November 02, 2007

So, you're an amazon.com customer and receive the following email message:

Looks pretty convincing, doesn't it? Of course, you get all upset that you're being charged for a couple of books that you didn't order. You'll click on one of the links to get to the bottom of it.

All of the links go to someplace other than amazon.com, but you'll see the familiar Amazon login screen. Without giving it a second thought, you enter your email address and password.

Before you know it, your account will be hijacked, and all kinds of goodies will be charged to your credit card. The hijacker has changed your ship-to address so that the goodies go to him, not you. He also changed the account password, so you can't log into your own account and repair the damage. The only thing "you" about your account is your credit card.

Every one of the links in this message leads you to a fraudulent, lookalike site. The phishing kit's server software hasn't been updated yet to the recent redesign of the Amazon site. I doubt, however, that the "old" login page would raise many eyebrows.

It's a shame [not!] that the phisher who went to all this trouble mixed up the message's Subject: line with a different phishing message. Despite the security-related subject, the message has nothing to do with security.

I wanted to show a legitimate order confirmation email message from Amazon for comparison, but I have opted for text-only messages in my account preferences. Thus, any HTML-formatted email message from Amazon is clearly bogus in my inbox. Even so, I would assume that the HTML-formatted version includes the same type of personal information (billing and ship-to addresses) that a phishing message rarely (if ever) includes. Phishing messages tend to be oh, so generic.

In any case, I'm just glad that the phishing kit builders don't use my books in their bogus order confirmations. That kind of free publicity I could do without.