Today’s Email Scam: Amazon Verification
Every single day there is another email phishing scam.
Today’s attempts comes ostensibly from Amazon.com
Note the text in color.
Red indicates the sections that should be your clues to this being 100% bogus.
The “From” fields are from amazonmail.com. When Amazon sends you anything it is from AMAZON.COM.
The sections in blue show us that the actual sending server is in the Philippines – specifically a government entity. Either someone in the building or a hacker with better skills than the Philippine government IT department is sending these messages through a Philippine government email account. More specifically: The National Home Mortgage Finance Corporation account is sending these phishing scams.
|Delivered-To:||Your Email Address|
|Received:||from uscentral434.accountservergroup.com by uscentral434.accountservergroup.com (Dovecot) with LMTP id KZ0DCkXBA1tFawoAgft7lA for <Your Email Address>; Tue, 22 May 2018 03:05:41 -0400|
|Envelope-to:||Your Email Address Here|
|Delivery-date:||Tue, 22 May 2018 03:05:41 -0400|
|Received:||from mail.nhmfc.gov.ph ([220.127.116.11]:42814) by … with esmtps (…) (Exim 4.89_1) (envelope-from <firstname.lastname@example.org>) id 1fL1Ma-0030Y8-Bc for Your Email Address; Tue, 22 May 2018 03:05:41 -0400|
|Received:||from localhost (unknown [127.0.0.1]) by mail.nhmfc.gov.ph (Postfix) with ESMTP id 1AFD7518866F; Tue, 22 May 2018 12:57:37 +0800 (SGT)|
|Received:||from mail.nhmfc.gov.ph ([127.0.0.1]) by localhost (mail.nhmfc.gov.ph [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y4lpsx5bmfLW; Tue, 22 May 2018 12:57:36 +0800 (SGT)|
|Received:||from [18.104.22.168] (unknown [22.214.171.124]) by mail.nhmfc.gov.ph (Postfix) with ESMTPSA id BE2F05188643; Tue, 22 May 2018 12:56:55 +0800 (SGT)|
|Subject:||Amazon account verification|
|Date:||Tue, 22 May 2018 07:57:25 +0300|
|X-SPF-Check:||126.96.36.199 is not allowed to send mail from amazonmail.com|
Body text of the email in question:
Changing Verification Settings
In order to make changes to our Verification Settings, you’ll need to confirm your account, just like you would for sign in.
It’s recommended to update your information within 24 hours.
Copyright © 1996-2018, Amazon.com, Inc. or its affiliate.All rights reserved.
The only live link is the Confirm Now line, which takes you to the URL shown in the graphic below.
If you were foolish enough to click on this link, it would redirect you to a fake Amazon page that would harvest your user name and password combination, after which the miscreants who crafted this email would take off on a shopping spree using your credit card.
Here is a screen shot of the email.
The actual location sending the emails is in Istanbul, Turkey.