Hackers impersonating Amazon are stealing passwords and accessing accounts, prompting warnings from the FTC and Better Business Bureau. Attackers are leveraging weak or reused user passwords to compromise accounts that are not protected by multi-factor authentication. Amazon encourages two-step verification and Passkeys for enhanced security.
Amazon has reported that scammers attempting to impersonate the retail giant place consumers at risk. The company has stated its commitment to investing in consumer protection and public education regarding scam avoidance. Amazon also encourages consumers to report suspected scams to facilitate account protection and the referral of malicious actors to law enforcement agencies for further action. Consumer accounts face heightened risk from attackers who may have acquired passwords through data breaches or infostealer campaigns, or due to the inherent weakness and predictability of the passwords themselves. Given a recent surge in these attacks, addressing these security vulnerabilities has become a pressing concern for account holders.
A prevalent Amazon scam involves promising a refund for a recent purchase. It is delivered through a text message containing a link designed to initiate the refund request. Clicking this link directs users to a fraudulent sign-in window, which is designed to capture and steal login credentials. This method exploits user trust and the desire for financial benefit, leading to unauthorized account access.
Guardio has observed an evolution and subsequent surge in the refund scam. A new variant of the text message phrasing initially appeared on August 9, experiencing a 590% increase in prevalence by August 10. This surge has continued, resulting in an almost 1000% overall increase in just a few days. This rapid escalation indicates an adaptive and persistent threat landscape targeting Amazon users.
The latest attack methods underscore the inherent insecurity of relying solely on password-based access. An account protected exclusively by a username and password is inherently vulnerable. If the password itself is weak, the account is significantly exposed to compromise. ESET’s Jake Moore has warned that criminals possess the capability to test stolen and commonly used passwords across multiple websites simultaneously. Individuals who reuse passwords across different online services are particularly susceptible to having their accounts compromised through these methods, amplifying the risk associated with weak password hygiene.
Amazon has advised its customers to implement two-step verification and Passkeys as measures to protect their accounts. The company has made available an article detailing the importance of Passkeys and providing instructions for their setup, urging users to adopt these security protocols expeditiously.
Two separate reports have illuminated the pervasive use of common passwords, offering insights into patterns to avoid and underscoring the predictability of user password choices. NordPass regularly publishes a list of the “most common passwords,” a compilation that serves as a readily available resource for malicious actors. Concurrently, CyberNews conducted an analysis of passwords found within the “19 billion leaked passwords” breach. This particular incident, while not representing a new breach in itself, constituted a significant aggregation of data derived from numerous smaller breaches and infostealer troves, providing a comprehensive dataset for security analysis.
CyberGhost’s compilation of the “worst passwords in the last decade” offers a telling perspective on common password pitfalls. This guide details password practices that users should avoid, including patterns based on keyboard layouts, numerical sequences, animal names, sports teams, car models, or celebrity names. CyberGhost specifically addresses the practice of incorporating personal connections into passwords, such as using a beloved pet’s name. The organization highlights that while such dedications may seem harmless, they can inadvertently compromise digital security by making passwords easily guessable.
Implementing a Passkey and enabling two-factor authentication (2FA) for online accounts is a critical security measure. Amazon represents a high-value target for cybercriminals, and the platform does not mandate 2FA for all accounts, leaving a substantial number of those accounts secured by passwords alone.
