Most of the phishing emails I see are fairly rudimentary, often targeting users of the same-old websites (Facebook, Apple, PayPal, etc…) or a variety of online banks. It’s not that unusual for the emails to be less than convincing.
What I don’t remember receiving before is an email purporting to come from Amazon Web Services (AWS), claiming that unless I confirm I have given my correct contact information for a domain’s WHOIS record, a website I administer could be suspended.
The email is professionally presented, and might fool unwary users into clicking on the link. So the potential is definitely there (especially if you do have a server running on AWS) for credentials to be stolen.
Fortunately my wits were about me. The email address the email was sent to was not the same one that I use for my AWS account.
But even if that hadn’t been the case, following the advice of the email and clicking on the link provided isn’t going to take anyone anywhere malicious. Why? Because the phishers malformed the link right at its beginning…
We cannot always rely on criminals making elementary blunders with their phishing attacks, but thanks heavens some still do.
Not to mention hitting almost every giveaway characteristic of the phishing email playbook:
– generic salutation ('Dear customer,')
– call to 'confirm details'
– time limit ('within 5 days')
– threat ('the domain has to be set on 'hold', which means it will not be useable')
Actually there is a time limit but it's not 5 days. And if you don't react in 15 days they actually do do something; it can include locking it, suspending or even terminating it until the registrant fixes the mistake.
Oh and when a domain is in hold it cannot be used.
“does not resolved”
Not an English speaker!
I would not treat this as a clear sign.
I have seen this specific wording as a result of changes between "does not get" and "is not" when QA was failing. Even in global companies addressing large customer groups.
Then they are also wrong, poor English.
I was thinking that it looked 'okay' (where 'okay' is very loosely defined) until the little part about 'hold'. It is true that ICANN requires the contact information to be correct and it does indeed risk the domains from being lost but what does 'usable regularly' mean? As for on hold it can't be used full stop. Also the 5 days sounded suspect to me. Looking at ICANN it's actually 15 days.
That's in addition to the other things commentators here have already pointed out.
I received the same e-mail yesterday. Except the link was not malformed. Unfortunately, I was foolish enough to click on it. I quickly closed the tab when I noticed all the weird redirects it was doing and changed all my Amazon passwords to be safe. Is there anything else I should do?
It appears the malicious URL was going through two or three 302 redirects before doing something which I had never seen before and redirecting (without a 302) to the AWS login page.
Is it more likely that it was intended to have the victim type its credentials? Or was it trying to steal the session cookies?
If you're nervous you may want to ask your favourite friendly anti-virus company to take a look at the URL to see if they can see any evidence that the pages you were taken might have tried to infect your computer, but the likelihood – I suspect – is that it was simply a phishing attack. If that's right then as long as you didn't enter your credentials you should be okay.