Full Report
Check Point has discovered over 1000 suspicious domains registered in the run-up to Amazon Prime Day
Analysis Summary
# Tool/Technique: Malicious Lookalike Domains (Related to Amazon Prime Day Phishing)
## Overview
This entry summarizes the threat activity identified by Check Point Research involving the registration of thousands of domains mimicking "Amazon" and "Amazon Prime" names specifically in advance of major online shopping events like Prime Day. The primary purpose of these domains is to host phishing sites used to steal customer credentials and personal information.
## Technical Details
- Type: Technique (Domain Impersonation for Phishing)
- Platform: Web (Targeting end-users accessing e-commerce sites)
- Capabilities: Hosting fraudulent login/checkout pages, distributing phishing emails.
- First Seen: Implied to be active prior to the June 2025 monitoring period mentioned by Check Point.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (If leveraged via email link)
- T1566.002 - Spearphishing Link
- TA0006 - Credential Access
- T1003 - OS Credential Dumping (If credentials are later reused)
## Functionality
### Core Capabilities
- **Domain Squatting/Impersonation:** Registering domain names highly similar to legitimate brands (e.g., Amazon, Amazon Prime) to deceive users.
- **Phishing Page Hosting:** Serving fraudulent login or checkout pages designed to harvest credentials and payment information.
- **Urgency Creation:** Utilizing phishing emails with subject lines like "Refund Due – Amazon System Error" to trick recipients into immediate clicks.
### Advanced Features
- **Link Redirection:** Links within emails direct the user to the fraudulent Amazon login page.
- **Information Harvesting:** Specifically targets harvesting legitimate Amazon logins and personal data.
## Indicators of Compromise
- File Hashes: N/A (Focus is on infrastructure, not delivered malware binaries described here)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Malicious domains resembling "Amazon" or "Amazon Prime" (specific examples defanged)
- Example domain patterns observed: domains containing "amazon" or "prime" keywords used maliciously.
- Behavioral Indicators: Traffic directed to newly registered domains immediately before high-volume shopping events; User interaction with prompts requesting login credentials on non-official domains.
## Associated Threat Actors
- Unspecified fraudsters/scammers targeting Amazon customers during peak shopping periods.
## Detection Methods
- **Signature-based detection:** Blacklisting known malicious lookalike domains.
- **Behavioral detection:** Monitoring sudden spikes in traffic to newly registered domains impersonating major brands, especially around known consumer holidays.
- **YARA rules:** N/A (Not applicable for infrastructure observation).
## Mitigation Strategies
- **Prevention measures:** Implementing DMARC, DKIM, and SPF to prevent email spoofing. Registering brand-protected domain names proactively.
- **Hardening recommendations:** Educating users to verify sender addresses and scrutinize URL structure before entering credentials, especially when prompted by urgent emails regarding refunds or account issues. Utilizing multi-factor authentication (MFA).
## Related Tools/Techniques
- Domain Generation Algorithms (DGA) (Although not explicitly mentioned, related to large-scale domain registration)
- Phishing Kits (Used to rapidly deploy fraudulent login pages)