Interesting this scam only seems to work in my unique circumstances. I’m sure there are other people with a very different type of scam, but for me, I was questioning the point of Amazon Prime.
Preface to no Prime
Slight inside here, Amazon photos used to be very good when it was part of Amazon drive, however, exactly like with Google photos they have split the photo part from the drive part, meaning integrating it with other services and cloud back up providers is now impossible, that coupled with the fact you have to use their flaky desktop application was the reason I didn’t need to use Amazon Photos anymore,
The Amazon music application has gone the same direction, where, in order to skip forward, or back in songs you know I have to pay a premium on top of your prime membership, so that really didn’t seem worth it.
The only option left was the free delivery with prime, which is probably fantastic. If you do all your shopping from Amazon that means you would recoup that hundred pounds quickly, unfortunately, the statistics told me in the last 30 days I have only had two prime free packages - which would normally equate to £6.50 in delivery, not really worth the annual subscription.
this coupled with the fact many products on Amazon, are questionable at best and when you order a new products, you clearly get a used product that’s being used by the previous customer, that coupled with some of the reviews been very in accurate on Amazon means it’s not really a reliable platform for purchasing reliable products, too many product reviews are clearly fake or part of the vine program, which means the customer did not purchase it for that review.
Prime membership email address sold?
Clearly, the moment I cancel my prime membership I automatically seem to start getting the scam emails to tell me that I needed to do something with my Amazon account within 24 hours otherwise it would be cancelled, which is absolutely inaccurate, but very interesting at the moment you cancel the prime membership it’s almost like you get put on a special list they give to scammers trying to trick you out of your account.
Amazon if this is going on that’s not a very good move, while I didn’t get an official response from Amazon it was amazing accurate that within four hours of cancelling prime the email started to end up in my spam folder.
gMail to the rescue
I have done quite a few of these deconstruction videos, and I should be very clear this if you’re not using Gmail, it’s not obvious that the message is fake, Gmail will put a nice read Banner at the top of to say, this message seems dangerous, ironically, Gmail is automatically doing what does informational post is all about, so if you are not notified that the email you’re about to interact with is dangerous, you might want to think about moving email providers.
Gmail also disables the images and links so I can’t click on something accidentally, but that’s boring for the intention of this post. I need to click on it to tell you how it works.
Email Payload
This is the e-mail as it in the spam folder, obviously images are not loaded as its in the spam folder, but when you look at it, the details are all wrong, my account is on hold due a billing issue (nope) they were not able to process my prime subscription (nope) that means my benefits are on hold (nope) I have cancelled them, then I need to provide payment in the next 24 hours (nope) to use the benefits (nope) I have cancelled, the only work this e-mail is missing is "kindly"
This is the full e-mail with the banner which as you can see looks more "suspicious" now with the Gmail banner....
If you look at the headers for delivery, you will notice it has come from ogyaonline.co.id and it comes with the address send from selected to amazon.co.uk
| Message ID | <20230801170529.2AD68407823@mail1.yogyaonline.co.id> |
|---|---|
| Created on: | 1 August 2023 at 18:22 (Delivered after 124 seconds) |
| From: | "Amazon.co.uk" <support-prime.billing-ID48212275-2249556.61375343@amazon.co.uk> |
This one also fails SPF and DMARC - that confirms all is not well with this message.
| SPF: | FAIL with IP 209.85.220.41 Learn more |
|---|---|
| DMARC: | 'FAIL' Learn more |
Then if you look at the headers you will notice it has some encrypted content inside as you can see below which is in base64 so lets get this converted to the actual content which I think is HTML
So lets get that decoded and what do you know, yes its HTML that is hidden from the user so unless they know what to look for they cannot see with the "raw" e-mail......
However if you ignore the filer code in the e-mail we only need one section of the code, and this is it:
<a style="font-size: 16px; text-decoration: none; font-family: Arial,sans-serif; width: 100%; font-weight: bold; color: #303942; display: inline-block; line-height: 20px;" href="https://lnkd[dot]in/e2g6D9Pb" target="_blank" rel="noopener" data-saferedirecturl="">Update </a>
It sends you to a URL that is a redirect service, in a new page and tells the browser not to "look at the link" with the "noopener" attribute which is specially used for opening dodgy of suspect links that cannot be verified, as for good measure it try's to set the "URL protection" to blank......which ends you up here......no this is NOT AMAZON
Even chatGPT is not fooled by this anymore and tells you there are some scam trademarks in that message, in this case ChatGPT is correct.
However the advice it gives you is spot on:
- Check the Sender's Email Address: Scammers often use email addresses that mimic legitimate ones but have small variations. Check the sender's email address to ensure it's a genuine Amazon domain.
- Hover over Links: Do not click on any links in the email directly. Instead, hover your mouse over the links to see where they actually lead. Be cautious if the link doesn't match the official Amazon website.
- Spelling and Grammar: Scam emails often contain spelling and grammar mistakes. In your provided content, "Cusotmer" is likely a typo for "Customer."
- Urgent Language: Scammers often use urgency to pressure recipients into taking immediate action. The phrase "update your payment information within the next 24 hours" is a common tactic.
- Contact Amazon Directly: Instead of clicking any links in the email, go to the official Amazon website directly by typing the URL in your browser. Log into your account and check your membership status and any notifications there.
- Use Two-Factor Authentication (2FA): If you're concerned about your Amazon account security, enable two-factor authentication if you haven't already. This adds an extra layer of protection to your account.
- Never Provide Sensitive Information: Legitimate companies, including Amazon, will never ask for sensitive information like passwords or credit card details via email.
- Report Suspicious Emails: If you determine that the email is indeed a scam, report it to Amazon and your email provider. This can help prevent others from falling victim to the same scam