Amazon Spoof Question

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
jb9
Posts: 143
Joined: Thu Feb 24, 2011 4:31 pm

Amazon Spoof Question

Post by jb9 » Mon Jun 22, 2020 12:33 am

Hello,

Has anyone ever gotten an email from either of the following email addresses?

store-news@amazon.com
store_news@amazon.com

The Amazon customer service reps tell me messages from these emails are NOT from Amazon. In essence, the reps have an application that shows what email messages have been sent to a user. Additionally, I have found the section under the user account details that shows the user what email messages have been sent to a user. This way, I can see the messages myself.

The problem is that the store-news@amazon.com sends promotions... I got one that said buy something in this category and get a $10 off coupon towards your next purchase of $25 or more. Nothing I have seen so far screams "too good to be true" but I did try the aforementioned offer and they said they didn't send it. I viewed the message header details and there was nothing amiss to my eye. The IP Address came from the same Class B Network that sends order confirmations...

Something seems odd here. It's not a big deal... I bought something simple I needed but I can't help but think are they driving traffic and transactions on their own site? I know the spoofing techniques are becoming more sophisticated...

Essentially a lot of these emails are they ones that say, "Hey you bought this, you might like this..."

Any thoughts?

123
Posts: 5987
Joined: Fri Oct 12, 2012 3:55 pm

Re: Amazon Spoof Question

Post by 123 » Mon Jun 22, 2020 1:25 am

Many spoofing emails provide a link to facilitate completing an action. That link can launch a mechanism to intercept account login information and/or credit card information often using a "man in the middle" technique by the hacker. The user who clicks such a link is often not aware that his/her activity/keystrokes are being monitored since the transaction can appear completely normal to them.
The closest helping hand is at the end of your own arm.

kiwi123
Posts: 57
Joined: Sun Dec 02, 2012 7:37 pm

Re: Amazon Spoof Question

Post by kiwi123 » Mon Jun 22, 2020 2:00 am

I got the same $10 email from Amazon. I didnt click on the link as it seemed suspicious. I figured i would look for it once i logged into Amazon directly... it looks "real" but something was "off".

User avatar
Archie Sinclair
Posts: 412
Joined: Sun Mar 06, 2011 2:03 am

Re: Amazon Spoof Question

Post by Archie Sinclair » Mon Jun 22, 2020 4:41 am

It seems like Amazon has expressly explained to you that this is a scam. But you don't want to accept that because "The problem is that [the scammer] sends promotions..."?

rkhusky
Posts: 9498
Joined: Thu Aug 18, 2011 8:09 pm

Re: Amazon Spoof Question

Post by rkhusky » Mon Jun 22, 2020 6:57 am

I've heard some scammers use a different font that looks the same as English but has a different underlying code. If you paste the link into a browser and delete the amazon.com part and re-type it in, do you go to the same place?

dukeblue219
Posts: 737
Joined: Fri Jan 29, 2016 12:40 pm

Re: Amazon Spoof Question

Post by dukeblue219 » Mon Jun 22, 2020 7:04 am

Just searched my Gmail and I have hundreds of emails from that address over many years, and it's obvious they're not outright scams. However, someone can certainly spoof that address as the sender.

livesoft
Posts: 72046
Joined: Thu Mar 01, 2007 8:00 pm

Re: Amazon Spoof Question

Post by livesoft » Mon Jun 22, 2020 7:09 am

Many spoofing e-mails that look perfect. Very often from Fedex, Amazon, United State Postal Service.
Wiki This signature message sponsored by sscritic: Learn to fish.

mschmitt
Posts: 77
Joined: Mon Aug 13, 2007 7:16 pm

Re: Amazon Spoof Question

Post by mschmitt » Mon Jun 22, 2020 7:18 am

I get emails from store-news@amazon.com all the time. I just spot checked a couple of recent ones and compared them with what is in Amazon's message center. They matched exactly. So, I have no doubt that store-news@amazon.com is a real Amazon email address.

However, this doesn't mean that address can't be spoofed. I think the thing to do is not click the links in the email, but to login to Amazon, go to the message center and click on the link there.

User avatar
LadyGeek
Site Admin
Posts: 63943
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Amazon Spoof Question

Post by LadyGeek » Mon Jun 22, 2020 7:28 am

This thread is now in the Personal Consumer Issues forum (spoof).
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

User avatar
ResearchMed
Posts: 10263
Joined: Fri Dec 26, 2008 11:25 pm

Re: Amazon Spoof Question

Post by ResearchMed » Mon Jun 22, 2020 7:40 am

rkhusky wrote:
Mon Jun 22, 2020 6:57 am
I've heard some scammers use a different font that looks the same as English but has a different underlying code. If you paste the link into a browser and delete the amazon.com part and re-type it in, do you go to the same place?
I can't find it now, but there was a terrific sample of that going around a few years ago.

The only reasonable (for regular users, anyway) way to "see" that problem was to copy the relevant text, paste it into something safe (e.g., word document, not linked to anything), and then select a different font. Then one of the characters suddenly shows that the spelling is no longer totally correct.

That was a real eye-opener.

Does anyone have a copy of an actual font where this happens (change to different font, suddenly there seems to be a spelling "error"), to show it?

RM
This signature is a placebo. You are in the control group.

User avatar
LadyGeek
Site Admin
Posts: 63943
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Amazon Spoof Question

Post by LadyGeek » Mon Jun 22, 2020 7:43 am

mschmitt wrote:
Mon Jun 22, 2020 7:18 am
However, this doesn't mean that address can't be spoofed. I think the thing to do is not click the links in the email, but to login to Amazon, go to the message center and click on the link there
Exactly. A few weeks ago, I got an email saying that my Prime membership would be expiring on the same day the email was sent. I logged into Amazon and double-checked that the membership was good.

Resisting my curiosity to check the email headers or open the attached PDF file (NEVER DO THIS), I simply deleted the email.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

mrb09
Posts: 243
Joined: Wed Aug 03, 2016 9:02 am

Re: Amazon Spoof Question

Post by mrb09 » Mon Jun 22, 2020 8:25 am

If you're checking the mail header details, then use something like https://mxtoolbox.com to manually look up the SPF record associated with the amazon.com. It has to explicitly list the SMTP address used for the mail for it to be valid.

If you use gmail, you can say "show original message". That will show you all the mail headers, and gmail will automatically check the validity of the the gateway used to send the mail (smtp), the "SPF Check", will "say PASS/FAIL". That does the same thing as the manual SPF check.

Mudpuppy
Posts: 6159
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Amazon Spoof Question

Post by Mudpuppy » Mon Jun 22, 2020 9:02 pm

jb9 wrote:
Mon Jun 22, 2020 12:33 am
I viewed the message header details and there was nothing amiss to my eye. The IP Address came from the same Class B Network that sends order confirmations...
Headers are fundamentally just plain text. An attacker can write whatever header they want, including a fake Received header entry. If they're running their own mail server which then passes off directly to your ISP's mail server(s), you would have to look very closely at your ISP's mail server Received header to see the mismatch.
mrb09 wrote:
Mon Jun 22, 2020 8:25 am
If you're checking the mail header details, then use something like https://mxtoolbox.com to manually look up the SPF record associated with the amazon.com. It has to explicitly list the SMTP address used for the mail for it to be valid.

If you use gmail, you can say "show original message". That will show you all the mail headers, and gmail will automatically check the validity of the the gateway used to send the mail (smtp), the "SPF Check", will "say PASS/FAIL". That does the same thing as the manual SPF check.
I just checked the headers of a legitimate Amazon order email and they use DKIM signatures for both amazon.com and amazonses.com, which are more secure since they involve a cryptographic hash. They also transmitted the email to my ISP using TLS instead of plaintext, as noted in the Received header.

User avatar
Ricchan
Posts: 256
Joined: Wed Jan 27, 2016 12:26 am
Location: Firestone D Floor

Re: Amazon Spoof Question

Post by Ricchan » Tue Jun 23, 2020 3:06 am

Here's an idea to address the OP's particular situation going forward. If your email provider allows it, add a "+xxx" suffix to the username portion of the email address registered to your Amazon account. The "xxx" can be anything, e.g. "myname+amazon@gmail.com." Authentic Amazon emails should now be addressed to the "+amazon" address, and any emails purportedly from Amazon addressed to the normal "myname@gmail.com" address would then be prime suspects for fraud. Just be aware false positives might happen (e.g. stale records on Amazon's end or their affiliates).

Silk McCue
Posts: 4696
Joined: Thu Feb 25, 2016 7:11 pm

Re: Amazon Spoof Question

Post by Silk McCue » Tue Jun 23, 2020 7:59 am

jb9 wrote:
Mon Jun 22, 2020 12:33 am
Hello,

Has anyone ever gotten an email from either of the following email addresses?

store-news@amazon.com
store_news@amazon.com

...
These are both valid email addresses. I have have hundreds of valid emails to prove it.

The rep you spoke with is ignorant of the facts.

Cheers

mrb09
Posts: 243
Joined: Wed Aug 03, 2016 9:02 am

Re: Amazon Spoof Question

Post by mrb09 » Tue Jun 23, 2020 10:43 am

Mudpuppy wrote:
Mon Jun 22, 2020 9:02 pm
mrb09 wrote:
Mon Jun 22, 2020 8:25 am
If you're checking the mail header details, then use something like https://mxtoolbox.com to manually look up the SPF record associated with the amazon.com. It has to explicitly list the SMTP address used for the mail for it to be valid.

If you use gmail, you can say "show original message". That will show you all the mail headers, and gmail will automatically check the validity of the the gateway used to send the mail (smtp), the "SPF Check", will "say PASS/FAIL". That does the same thing as the manual SPF check.
I just checked the headers of a legitimate Amazon order email and they use DKIM signatures for both amazon.com and amazonses.com, which are more secure since they involve a cryptographic hash. They also transmitted the email to my ISP using TLS instead of plaintext, as noted in the Received header.
For the sake of folks reading the thread, SPF is a standard where the the gateway address used to send the mail (smtpgateway) is documented in a DNS record only the legitimate sender can own. DKIM supports a signature for the sender record itself. Anyone can put anything as a sender string, but if it is from amazon, only amazon can have a valid signature.

Mudpuppy is absolutely correct that DKIM is a better check if it is available. I was going to say SPF is an older standard and (I think) still more prevalent, but I spot checked a few recent mail messages and looks like most companies are using both now. I just looked up gmail's spam filter policy (DMARC), and it requires one or the other be set.

User avatar
Nate79
Posts: 6033
Joined: Thu Aug 11, 2016 6:24 pm
Location: Delaware

Re: Amazon Spoof Question

Post by Nate79 » Tue Jun 23, 2020 12:39 pm

Moral of the story for this thread and many similar threads for other companies is that front line customer service agents don't have a clue about these details.

Topic Author
jb9
Posts: 143
Joined: Thu Feb 24, 2011 4:31 pm

Re: Amazon Spoof Question

Post by jb9 » Mon Jun 29, 2020 12:25 pm

Thanks for all the helpful suggestions.

I do wonder how the front line customer service representatives can be so mis-informed...

I really don't like these store-news@amazon.com emails because they have my full name and apparent knowledge of "hey, you bought this... and hey, how did that _____ work out?" Assuming these emails are NOT from amazon, then what is the mechanism that tells this unknown sender I have a Prime account and what I purchase? It seems disconcerting. IT forensics aside, could there just be a malicious link hiding (e.g. unsubscribe or something else) that the phisher is just waiting for someone to click? I sure as hell ain't going to click unsubscribe...

As the news cycle deteriorates, I am definitely noticing more of these malicious actors out there.

The other thought that crosses my mind is that if Amazon claims NOT to send these emails and the front line reps are told to say they are not Amazon emails, then it kinda isn't a liability for them... Also, the idea of a caller asking probing questions about underlying architecture, topology and network infrastructure is kinda social engineering, isn't it?

If it is a valid Amazon marketing email, then it probably makes sense to tell the reps to toe the party line ("We have an application (message center) which shows all emails that we have sent you... blah blah blah").

Much gratitude to the folks here who share their self-defense techniques.

I should just re-direct all these store-news emails to their phishing department... :D

Mudpuppy
Posts: 6159
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Amazon Spoof Question

Post by Mudpuppy » Mon Jun 29, 2020 1:21 pm

jb9 wrote:
Mon Jun 29, 2020 12:25 pm
I should just re-direct all these store-news emails to their phishing department... :D
Honestly, forwarding it to their spam/phishing reporting email address is the most likely way to get an actual technically informed answer about whether or not it is a legitimate email. The vast majority of the front line customer support people do not have this knowledge.

Silk McCue
Posts: 4696
Joined: Thu Feb 25, 2016 7:11 pm

Re: Amazon Spoof Question

Post by Silk McCue » Mon Jun 29, 2020 7:01 pm

Mudpuppy wrote:
Mon Jun 29, 2020 1:21 pm
jb9 wrote:
Mon Jun 29, 2020 12:25 pm
I should just re-direct all these store-news emails to their phishing department... :D
Honestly, forwarding it to their spam/phishing reporting email address is the most likely way to get an actual technically informed answer about whether or not it is a legitimate email. The vast majority of the front line customer support people do not have this knowledge.
Store-news and store_news are both valid Amazon email addresses. As I replied earlier I have hundreds of them in my history. Amazon uses many other addresses in front of Amazon.com on a regular basis. Most of the time we don’t even notice what it is.

Cheers

rich126
Posts: 1549
Joined: Thu Mar 01, 2018 4:56 pm

Re: Amazon Spoof Question

Post by rich126 » Mon Jun 29, 2020 9:57 pm

As far as I know all legimate messages from Amazon will appear in your Account->Messages after you login to your Amazon account. If it doesn’t show up there I’d assume it isn’t legitimate.

SnowBog
Posts: 262
Joined: Fri Dec 21, 2018 11:21 pm

Re: Amazon Spoof Question

Post by SnowBog » Tue Jun 30, 2020 2:42 pm

If it wasn't made clear already, the reported address of who the email appears to be from is effectively meaningless. Just because you got 10,000 "safe" emails from an address doesn't mean "this one is safe".

Without getting into the details, think of email as nothing more than sending a letter by mail. You put a "to" address on it, that's where it gets delivered. You put a "from" address on it, but there is nothing to enforce the from address is legitimate. It's trivial to send an email with a "from" address that is fake (or duplicates with a legitimate address).

Just because an email "looks" like it came from an address you trust didn't mean anything, just like a letter you receive in the mail may not be from the address marked on the envelope.

There's a host of technologies attempting to combat this (many of them mentioned already), but most consumer email services don't benefit from all of these. So act accordingly...

Silk McCue
Posts: 4696
Joined: Thu Feb 25, 2016 7:11 pm

Re: Amazon Spoof Question

Post by Silk McCue » Tue Jun 30, 2020 2:57 pm

SnowBog wrote:
Tue Jun 30, 2020 2:42 pm
If it wasn't made clear already, the reported address of who the email appears to be from is effectively meaningless. Just because you got 10,000 "safe" emails from an address doesn't mean "this one is safe".
True, however it is quite easy to see the true sender of an email if you ever suspect something is wrong or fishy with the content.

Cheers

Topic Author
jb9
Posts: 143
Joined: Thu Feb 24, 2011 4:31 pm

Re: Amazon Spoof Question

Post by jb9 » Tue Jun 30, 2020 3:12 pm

I did take a look at the mxtoolbox link but I wasn't exactly sure how to use it.

Could one of the more technical folks provide a quick tutorial on the exact lines from the suspect email header one should check and subsequently corroborate with the output from the mxtoolbox link?

I did see "PASS" somewhere in the email header but I am willing to ask for a bit of help in using some of these.

Is "SPF Check" a string in every email header?

Does one enter the whole suspect email address into mxtoolbox or just amazon.com?

SnowBog
Posts: 262
Joined: Fri Dec 21, 2018 11:21 pm

Re: Amazon Spoof Question

Post by SnowBog » Tue Jun 30, 2020 3:54 pm

jb9 wrote:
Tue Jun 30, 2020 3:12 pm
I did take a look at the mxtoolbox link but I wasn't exactly sure how to use it.

Could one of the more technical folks provide a quick tutorial on the exact lines from the suspect email header one should check and subsequently corroborate with the output from the mxtoolbox link?
Let's say you sell something (car, old phone, etc.)... Do you know how to inspect a check to see if it's a fraud?

Cyber crime is a "full time" job. The people in this "industry" spend their time and energy getting others to part with their time and money. You may not be aware, but their are "companies" who "sell" solutions to help people make money illegally, including with "paid support" and some even have a "money back guarantee". It's a crazy, scary world...

The old saying "caveat emptor" still applies... Don't make it easier to give your money/identity/passwords to the bad guys...

I know you think that "learning" how to research these things will help... But you'll end up making a mistake, or will fail to keep up with changes in the space... Your better option is a) enable and use things like multi-factor authentication everywhere b) avoid clicking on links (and answering unsolicited phone calls) - instead go directly to websites you trust c) keep your technology updated (it kills me to hear about people trying to hold onto old computers running outdated operating system and applications). If more people did these things, that could make a massive difference in making it so its not as easy to make a profit from cyber crime...

hudson
Posts: 2888
Joined: Fri Apr 06, 2007 9:15 am

Re: Amazon Spoof Question

Post by hudson » Tue Jun 30, 2020 7:21 pm

rich126 wrote:
Mon Jun 29, 2020 9:57 pm
As far as I know all legimate messages from Amazon will appear in your Account->Messages after you login to your Amazon account. If it doesn’t show up there I’d assume it isn’t legitimate.
Today I got an email that looked like a valid Amazon email...something about getting the Amazon YouTube App for $0.00. After reading your reply, I went to my account page on Amazon and looked for Messages. It didn't take me long. There it was...a message about the YouTube App. So the email was good, I've got an idea who "bought" the app.

Post Reply