Washington Post reporter Brian Krebs reported today on his Security Fix blog that hackers have created a bogus site meant to dupe users of the popular online retailer into giving up their login information.
Volunteer-based security and privacy website Castlecops.com alerted Krebs about the attack, which begins with an email message asking users to update their account credentials because Amazon.com has detected unauthorized activity.
Unsuspecting email recipients who follow the link are brought to a bogus login page that resembles the real thing but communicates between the user's PC and the legitimate Amazon site. The attacks - a similar one hit Citibank this summer - are particularly dangerous because neither party knows they are happening, experts said.
The trick is further legitimised when users enter the wrong login information. They are shown the usual page that appears when incorrect usernames and passwords are entered on the real Amazon site.
The Amazon attack appears flawed though, Krebs reported. First, the URL of the bogus site was not spoofed to reflect the genuine Amazon site. And, new anti-phishing technology included in the latest Internet Explorer and Firefox browsers appears to flag the fake site as a phishing page.
An Amazon.com spokesman did not return an email seeking comment today.
"This use of man-in-the-middle is fairly new," Russell Dean Vines, president and founder of The RDV Group, a New York-based security consulting services firm, told SCMagazine.com today. "I think it's going to become better executed than this one was. These are going to become a little tougher to fight."
Click here to email reporter Dan Kaplan.
Man-in-the-middle phishing scheme targets Amazon.com
By Dan Kaplan on Jan 3, 2007 10:07PM