Clever Amazon Phishing Scam Creates Login Prompts in PDF Docs


The purpose of any phishing scam is to cause you not to do anything. This is the case with a phishing campaign that uses pdf attachments that prompt logins to appear valid for many.

If you regularly read Cyber guards, you understand that our readers may meet interesting phishing scams. It’s to make them aware so that they don’t fall into scams from the remainder.

This is the situation with the recent phishing campaign discovered and communicated with us by Reversing Labs before publishing.

What sets this scam out is that it utilizes fake JavaScript login forms produced directly by the PDF attachment instead of using fake landing pages.

“Credential robbery through JavaScript enabled documents is one such vector that could be ignored,” the scientists indicated in their study. “It does not depend on malicious connections or domain spoofing, but on document scripts that produce the same impact”

Tax records are often self-protected with login notifications

You are likely to be aware of password-protected PDF documents used to safeguard sensitive tax data when you send tax files regularly by e-mail to your company.


In this scam against the German victims, the scammers are pretending to send you an Amazon tax invoice and say that you must log into your Amazon Seller’s account to view the tax invoice.


If you open the attached PDF file, a fake login prompt, which is produced with JavaScript, will be displayed, requesting your Amazon e-mail and password. As it is a tax document and specifically says a customer needs to log in to view it, some users may believe that this is a lawful request and enter login credentials.

“The document requests the reader to log in and they can see the tax records they send. As explained in the email, this screen is expected, and typing the credentials into it shows the summary data. As unusual as it might be, a unconsidered reader may brush it off as a safeguard to keep your private information secure”.


However, in fact this login prompt is displayed by a JavaScript script that instead submits any submitted credentials to a long URL at http:/ GTHDGT4U7YWEWE 84GTYS.abecklink.


Once the credentials have been entered, attackers have complete access and can use your Amazon account as if they were the new proprietor.

Protect yourself against this kind of scam.

We usually inform you to check any landing pages ‘ URL for phishing scams to ensure they look valid. We also recommend that you log on to locations in your official domains only, not via an attachment.

In this case, a login prompt will be generated to open a protected PDF document, no URLs will be displayed, and this would occur.

This is why you always have to check the sender’s landing page URLs to ensure that they fit with a legitimate domain and the email you received.

You have to be even more vigilant when it comes to tax papers and reach the sender to verify that they have sent you sensible data via email.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.