New Spam Campaign Brandjacking Amazon


Security experts have discovered a new spam campaign using a combination of brandjacking and a Java exploit. The messages are made to look like order confirmations from popular e-tailer and contain a link to a supposed order made on the site. Recipients who click on it wind up on a malicious site that determines what browser and versions of Java, Flash and Adobe Reader the visitor has before selecting an exploit to use against them.

Oracle, the makers of Java, are aware of the security hole and are planning to release a fix soon. Those concerned about the problem are urged to disable Java until it’s ready. Doing so may disable the functionality of some sites, especially video and gaming sites. It’s also important to note that only Java, not Javascript, is being affected by this exploit.

Amazon is no stranger to being brandjacked. Their name has been showing up in phishing attacks for years. With their Amazon Prime service making them an even more popular online shopping destination, it’s not surprising spammers are continuing to exploit them.

So far tens of thousands of the spam emails have been detected. Fortunately they are not too difficult to detect. Like many spam/scam emails, there are misspellings and grammatical errors, things rarely found in legit emails from the company. They are also addressed to “Dear Amazon Customer” or “Dear User” rather than personalized. This is a big red flag. Despite their increasingly sophisticated techniques, for many of them, their English and writing skills remain poor.

Written by Sue Walsh


  1. Jennifer · September 25, 2012

    The way I see it, this is such a very easy case. You should know if you placed an Amazon order or not. Otherwise, it should alarm you that someone has got hold of your Amazon account. So I really think anyone who falls into this scam is not thinking very well. But that is not to say Amazon also has its own liability. By now, it should have released information about the phishing scam. As far as I know I still have not received any. Or perhaps they need more people telling them that the threat is definitely real.

  2. Friday · September 25, 2012

    Hmm.. I don’t know if this is an entirely new story. Perhaps I’m used to phishing any campaign they can possibly imagine I assume they already used Amazon for quite some time in the past. Needless to say, this should be a cause of alarm. How did they know that you’re registered in Amazon in the first place? And if ever they used their own ingenuity to come up with something that looked like an Amazon e-mail, what will Amazon do to prevent its customers from falling into the scam? I am interested to hear their immediate plans about this.

  3. Lydia · September 26, 2012

    Exactly how you suggest Amazon reacts about this campaign? Email every person on Earth, who may or may not have an Amazon account about the phishing scheme? They can put a notice on their site but since many of the clickers will be people who have no account with Amazon or at least have not placed an offer recently, how can this help? Amazon is a victim, as the clickers are. General user education is what’s necessary to decrease the click-through rates of campaigns like this one.

  4. Logan · September 27, 2012

    This is so unfortunate since I spend a lot of time checking and using Amazon. Now I feel that the network has been compromised, and I don’t feel they’re doing much about it. I wonder when phishing is going to end, really. You know, I’m lucky because I know these things, and I’m very careful. But I’m equally sad for those who don’t have the vaguest idea what phishing or spamming is so they end up compromising their confidential information in the process. It’s time PEOPLE will give more effort to curb phishing!

  5. Ella · September 27, 2012

    Why am I not surprised? Even the biggest banks, which should have one of the best securities, have become victims of phishing. I’m not saying that Amazon doesn’t have any capacity to properly protect its system or brand. All I’m saying is phishers are not idiots. They have become more aggressive and wiser over the years. They know how to make things look and sound very real. What we need is for various agencies and companies such as Amazon to teach us Internet users how to spot potential phishing scams. Education is still the most ideal way to protect ourselves against anything.

  6. Allen Fuller · September 30, 2012

    Amazon has become the latest victim, though I don’t really think this is something new, as I’ve heard the website being a target for phishing a couple of times before. If these companies can suffer such fate, then it only means that anyone can be hit by it. Small-time businesses then can suffer a lot, and worse it may cause a huge problem financially since correcting the problem can surely cost a lot of money. I just hope the government and all the concerned agencies can offer ample protection to these kinds of businesses sine I’m 100 percent sure they are the ones that can keep our economy alive.

Leave A Reply