Quick Links
How the Amazon Prime Spoofing Campaign Works
Threat intelligence experts atUnit 42discovered the phishing campaign in January 2025. The attack starts with an email about the target’s expiring Amazon Prime membership. Similar to the Amazon Prime membership phishing campaigns that ran rampant from 2022 to 2024, this tells the customer that there was an issue with the credit card on file and that failure to update the payment method will cause suspension of Prime benefits.
The scam uses a malicious PDF file attachment mocked up to appear as an Amazon page. Instead of sending the link within the body of the email, as in previous campaigns, the malicious link is placed in the PDF file. This exploits trust in PDFs as a secure and harmless file format.
The link in the PDF takes you to multiple phishing pages that look almost identical to Amazon’s sign-in page, designed to steal your Amazon login credentials.
You’re then taken to an account verification page where you are asked to confirm your identity by inputting sensitive personal information, including your social security number. The final phishing page then asks the target to verify their credit card.
To dodge security scans, attackers use a technique called cloaking. This redirects security scans and analysis to a harmless page, avoiding detection.
How to Spot Fake Amazon Prime Emails
Emails contain attachments with links to pages that look almost identical to legitimate Amazon pages (colors and fonts match the spoofed page), but there are details you can spot if you pay attention.
Screen grabs shared by Unit 42 show pages with URLs that don’t match those from Amazon. The URLs of the phishing pages are subdomains of duckdns [.] org and redirectme[.] net.
If you look closely, the pages also contain grammatical errors or missing phrases and words. For example, the identity verification page of the phishing site says, “To protect your Amazon account, you need to follow steps immediately.” Threatening language like “account suspension” and those that pressure you to act fast or immediately are designed to make you do what you’re being asked without having the time to think.
Keep Your Amazon Account Secure
Secure your account by using a strong password and multifactor authentication. Amazon also recommends using an email address and mobile number for your accounts. This way, you’ll get alerts on both contact methods.
Also, keep tabs on your subscriptions' expiration dates so you won’t be tricked into thinking your account is about to expire when it isn’t. Be wary of emails from Amazon that you aren’t expecting, and don’t open attachments even if these look harmless if you haven’t verified the source.
A common red flag on phishing pages impersonating Amazon is the presence of grammatical errors like misspelled words, missing words and phrases, and even sentences that sound off. However, hackers already use AI tools that automatically generate phishing pages, emails, and SMS with a well-structured, grammatically correct copy. So if the message looks okay, pay closer attention to other details.
Remember to always check the URL. Some URLs can differ greatly from those on the legitimate Amazon site, so it’s easy to spot. There are hackers, however, who use a technique called typosquatting. Typosquatting involves registering a domain that might look like the spoofed URL at first glance but with minute differences like a misspelled word, or an extra letter or character. For example, they may register with “Aamazon.com” or “PaypaI.com” which uses the capital “i” instead of the letter “L”. So, slow down and read the URL carefully. You can use link checkers tocheck if the link is safe.
While it can be more tedious, the best way to stay safe is still to double-check with Amazon before clicking links or opening email attachments. Close the email message and open a new browser window, then head to Amazon’s official site in your country and contact them using the official customer service information. you may also double-check by signing in to your account using their official page or app.
Sure, you might need to spend a few more minutes verifying the source of the information, but a few steps can save you a lot of trouble if you become a victim of cyber scams.
