Find an online store you trust, pick an item with reliable reviews, enter your payment details and/or sign-in to the websites account, and finally, click ‘Purchase’. This process is all it takes to purchase gifts this holiday season. There is one final step: Receive the package. Though this may not feel like a step, the seemingly simple process of tracking and receiving your order can be an opportunity for Phishing.
“Wow, purchasing seems so easy! I’ll follow these simple steps and go purchase that yo-yo that I’ve been really wanting” – John Doe
Wait! Unfortunately, that is not the complete process. Baddies want to get hold of your Personally Identifiable Information (PII) and if possible, compromise the security of your computer. Here’s an example of one Phishing scheme taking place right now…
What is not simple is navigating the minefield of shipping notification Phishing attacks that can threaten your computer security, or put your banking credentials in jeopardy.
The domain amazonfindorder[.]us is active as of today 12/8/2020. The domain trackmyorder[.]us was associated with this site but is no longer active. When WatchGuard first discovered the site on 12/2/2020 it did not have a Banking section. So, props to them for continual improvement.
The site hosted four pages: Track My Order, Support, Refund, and Banking. Each will be discussed.
There are many reasons to consider this site suspicious. It was using HTTP; when using Amazon you would expect to see an HTTPS secure symbol. The URL ends with ‘.us’ instead of ‘.com’ which is not expected of a United States Amazon website. At the top of the page the search bar is not interactive but instead only an image. Moreover, the ‘Amazon.in’ and the Indian flag are visible near the search bar, which conflicts with it being a United States website.
The bottom section of the page where you would go for the About Us section is an image as well (not clickable).
If you fill in the information on the Track My Order page it will bring you to the same output page. If you don’t have beyond excellent eyesight to read the data entered in the field below, then here is the information entered: the first name with ‘Sam’, last name with ‘ShammyPants’, the email with ‘ShammyPants@gmail.com’, a fake phone number, and a fake tracking number.
Regardless of the information the victim entered it, resulting page was for an Apple iPhone 11 to be delivered to Williams Mark.
“But hey, why am I seeing this page when all I ordered was a yo-yo?” – John Doe
Well John, lets think about this. How did you get to this page? And why do you think it has someone else’s name? Could this site be possibly…..a Phish?!?!
“Probs” – John Doe
Yes, you are correct Sir! You are one smart cookie.
The Support page requests users to connect via a third-party application instead of through Amazon. All the programs listed are for remote access capabilities. This includes TeamViewer, AnyDesk, and RemotePC. This is a sign the attacker may want to gain access to your computer.
Meanwhile, the Refund page is a Google Forum. This is not how Amazon would acquire user data. The forum requests the name, phone number, state, city, email, amount of refund requested, purpose of refund, bank name, and whether the bank account is a checking or savings account.
The transaction number is the same every time regardless of data entered.
The Banking section is a list of bank links in no order or proper capitalization.
This website has been active for little while now. The now defunct trackmyorder[.]us domain would redirect to the Track My Order section on amazonfindorder[.]us, but now only amazonfindorder[.]us is active. Trilogy Media posted an alert on their Facebook page of this scam.
PhishStats (@PhishStats) also recently posted a similar alert on Twitter.
Is all this information really proof of a Phishing scheme? No, not exactly. We did not personally use an email or phone number that would be able to receive a response from whoever is hosting this site. What we can infer though, is that the scammer will attempt to collect as many details about the user as possible. When some makes a refund request, they will use that information to scam the user. The scammer’s goal could be manifold. One goal could be to get the user’s banking details. Another goal could be to have the user install remote user access software and steal information and/or install malware on their machine. What is certain is that this website is incredibly suspicious and should be avoided and blacklisted.
“All I wanted was a yo-yo and you just talked at me…. a lot. What would be an easier way to check my order without worrying about all of this mess?” – John Doe
You could just go directly to Amazon and check your order there.
“Really? You could have said that at any point during this discussion.” – John Doe
Well, I…umm… love to educate about the risk of Phishing.
“Uh-huh, sure, you seem more lonely than anything…But thanks for the help regardless!” – John Doe