Infoblox Threat IntelTrust this “Amazon” phishing email in Japan—and you’re Prime sashimi 🎣 🍣
Looking into our malspam data, we identified an active campaign impersonating Amazon and targeting Japanese citizens. The emails use subjects such as 「至急 Amazonプライム会員情報の確認」 (“Urgent: Confirm Amazon Prime member information”).
The URLs within the emails ultimately lead to an Amazon phishing page, but only after routing victims through a TDS. Interestingly, instead of keeping the TDS step invisible, the actors chose to show it off—repackaging it as a reassuring security check.
Upon clicking the link within the email, victims are first redirected to an RDGA TDS domain, where fingerprinting occurs. If the user does not match the targeting criteria (e.g., connecting from outside Japan), access is blocked. If they do match, potential victims are redirected to a second RDGA domain.
This second and last domain is not a TDS domain, but funny enough, these actors decided they would emulate it anyway!
At that step victims are already at the landing page but instead of immediately displaying a standard Amazon phishing page, the website displays a CAPTCHA and fake console interface simulating environment fingerprinting checks to “make sure your environment and connection is safe” before "proceeding to the landing page". Ironically, part of their message is true: fingerprinting did happen one domain earlier. It just wasn’t for the user’s benefit—it was to make sure the environment was safe… for the scammers. A few seconds later, without added user interaction needed, a fake Amazon login page is displayed.
Domains samples:
qqc10c[.]cyou
51wang11c[.]cyou
#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #amazon #malspam #email #fingerprinting #japan
Dag
knoppix
John Leonard
[^BgTA^]
[^BgTA^] 
Michael Boelen
ely
Habr 25+
Habr