Potential Amazon mystery box scam, warns Check Point Research

Check Point Research (CPR), the Threat Intelligence arm of Check Point Software Technologies, a leading provider of cyber security solutions globally, warns of a potential phishing scam involving Amazon’s Mystery Boxes.

For the more indecisive or adventurous Amazon user, buying a Mystery Box may be the ideal solution. It is, as the name suggests, a mystery box that the customer receives at their request without knowing what it is they are ordering. The boxes usually follow specific themes and are priced differently, depending on the value assigned to the box. At first glance, this seems like a fun and rewarding idea but in the world of cybercrime it can also be seen as an opportunity for criminals.

Alerted to the malicious potential of these boxes, the CPR team conducted an investigation into the domains that sell Amazon items without actually having an affiliation with the brand. In the last week, CPR found several new websites advertising the sale of Amazon’s Mystery Boxes, as well as unclaimed products from the online retailing giant. CPR shares two real-life examples of websites that follow the same design and purpose, and are even registered under the same name.

Although they found no evidence of any malicious intent, CPR wants to alert users to the potential for suspicious activity among these pages as it wouldn’t be the first time that Amazon has been used as bait by cybercriminals. During the second quarter of 2021, Amazon featured in 11% of all brand phishing attempts, ranking third in the top ten brands used for this purpose according to CPR’s latest Brand Phishing Report.

“It’s no secret that there’s been a growing reliance on online shopping in recent years and it’s something that cybercriminals continue to take advantage of,” said Ram Narayanan, Country Manager, Check Point Software Technologies, Middle East. “And Amazon is one of the most popular brands for criminals to impersonate. We must always be alert and never get too comfortable with the convenience of online shopping. The danger here is that we end up providing banking and contact details to malicious websites, no matter how harmless they may seem on the surface. My advice to users is to always go direct to official sites, avoiding unfamiliar domains that often stand out for their attractive offers. There is an important maxim to keep in mind: if it looks too good to be true, it probably is.”

Tips to avoid becoming a victim of a phishing scam

1. Watch out for potential spelling mistakes in the domain name: before making purchases, check the domain for spelling mistakes that may highlight the malicious nature of the page, such as a “.co” instead of a “.com”
2. Use credit cards where you can: debit cards are linked to bank accounts, so the probability of attackers accessing our data is much higher. So, always use credit cards, which offer greater protection.
3. Only share the information that’s strictly necessary: making purchases online naturally means sharing some data. Be wary if you are being asked for information that you do not consider necessary for the purchase.
4. Search for the page’s security protocol: avoid buying products on pages that do not have an SSL security certificate or the https protocol.
5. Research before you buy: do some research beforehand on the website you are thinking of buying from. Look for signs that prove its credibility.