Lumbar back support pillow—check!
Noise canceling headphones—check!
And, of course, coffee—check!
If you’re an Amazon shopper, then you know by now that Prime Day is nigh!
And by that, we mean “tomorrow.”
If you’re one of the many who dreads bidding the weekend goodbye, this is probably the one Monday of the year you look forward to.
It’s true that Amazon Prime Day isn’t your regular Thanksgiving shopping event, but it has become so massive so quickly to warrant one unintended consequence: catching the attention of online threat actors.
Amazon launched Prime Day in 2015 during the company’s 20th anniversary. And they have been stepping up their game ever since. To date, Prime Day 2017 was hailed as the biggest shopping event in the company’s history, surpassing its 2016 Black Friday and Cyber Monday revenue.
Orders placed via mobile devices also spiked, thanks to the Amazon app that many users have downloaded and installed just for Prime Day. Of course, overall increased sales also translate to increased profits for small businesses around the world. In case you’re not aware, a huge chunk of sellers on Amazon are small businesses.
It won’t be a surprise to expect that Prime Day 2018 would be bigger than last year, and Cybercriminals may be counting on this.
Regular readers of the Malwarebytes Labs blog know that Amazon has been used in several threat campaigns to target users. In 2015 – 2016, we’ve documented some spam emails that circulated the web bearing the Amazon logo, and their ruses ranged from requesting users to confirm their accounts information, to filling in a survey in exchange for a small fortune, and redeeming a soon-to-be-expired $100 Amazon Prime credit.
Then in 2017, Mark Jones (writing for Kim Komando) reported about a phishing email that Kim herself received almost a month after Prime Day ended. The email offers recipients a $50 voucher as a bonus for reviewing a product they recently bought on Prime Day, according to the post. Clicking the link in the email body redirects to a fake Amazon login page.
More fake Amazon emails could materialize from hereon. But these shouldn’t get in the way of someone using or trying out Amazon’s services for the first time—or any e-commerce site’s, for that matter. These sites not only afford us the ease and comfort to shop while remaining in bed and in our pajamas, but they also have selections we cannot otherwise find in brick and mortar shops in town.
If you enjoy shopping on Amazon, protect yourself by protecting your account credentials and shopping transactions. Below is a list of do’s and don’ts you should keep handy alongside your shopping list.
…download only the legitimate Amazon app from the Google Play and Apple App stores, which you can find here and here, respectively. In doing so, you’ll avoid getting confused as to which app to install—as there are variants of them—and what to trust—as there may be impersonators. Threat actors targeting users on mobile devices have become craftier with their tactics, their latest being the use of Unicode, allowing fake apps banking on famous names to pass through security scans.
…setup two-factor authentication (if you haven’t already). This is for added security, of course. If you’re the type of shopper who takes their time, you may find it quite annoying to re-enter your creds and authentication number multiple times but having this enabled is so worth it.
…use your credit card when paying for purchases as much as you can. This is because credit cards are insured by the bank but not debit cards. Although a type of consumer protection called a chargeback is in place, it is not a legal protection. This means that your card provider may or may not award one a chargeback, depending on the case.
…look at emails purportedly originating from Amazon with a critical eye. It’s a prevention mechanism we should all be practicing when handling emails as doing so will save you a lot of headache and firefighting in the long run.
…familiarize yourself on how to report phishing emails and pages to Amazon. Why? Because fellow shoppers may not be quick enough to sport the fake email you just spotted. Amazon has a handy guide on walking users through the reporting process in this Help & Customer Service page.
…buy items from sellers you trust or are comfortable with. Like any other e-commerce site, Amazon has bad sellers, too. And by that, we mean those who (1) impersonate legitimate companies by stealing their brand and the showcase of products they sell, (2) purport to sell products but never ships them and attempt to run away with your money, or (3) sell you counterfeit or knock-off goods. If you don’t know which seller to trust, check out the third-party supplier’s Amazon page and see when the profile has been created. Usually, the scam ones are generally those that just launched and suddenly offers pages upon pages of a variety of cross-industry products, which are often just stolen random images from several real sellers. Also, watch out for third-party sellers with too-good-to-be-true glowing reviews as (1) they may have been auto-generated by bots or (2) they’re paid reviews designed to put sellers in a favorable light.
…reuse passwords. If the Amazon account password you’re using now is the same as your, say, Twitter password, it’s time to change that. You’re just making it easy for criminals to access two or more of your online accounts.
…enable macros. Amazon email has convinced you that it’s real. You open the attachment. It asks you to turn on macros. I think you should consider stopping at this point because doing what it tells you to could open two possible scenarios: one, nothing will happen; two, you just got your computer infected with malware. Think about this.
…fall for Amazon gift card scams. We rarely read about this, but it happens. Usually, questionable sellers would ask prospective buyers to pay for an item outside of Amazon in the form of gift cards. If a seller suddenly asks you this, disengage from the conversation and report them to Amazon immediately.
…use public Wi-Fi to shop. You’re only exposing yourself to MitM attacks. It’s better to shop at home or (we know you do this) at work during your break time.
If we make it a point to address our (potential) security issues first and make mental notes of the rest in our list, then Prime Day 2018 shouldn’t be that stressful. Perhaps.
So, what are you waiting for? Ready, set, shop!
Other posts related to Amazon you might be interested in reading:
The post A primer: How to stay safe on Amazon’s Prime Day Sale appeared first on Malwarebytes Labs.