12

I just got either a helpful security update from Amazon or an advanced phishing attempt by an Amazon impersonator falsifying the email origin. The title is "Your Amazon password has been changed".

There seem to be mixed claims about the validity of this online. One of the articles I'll cite mentions that in his version of this email, each mention of "Amazon.com" is formatted as a link. The article doesn't mention verifying the target of the link and unfortunately (or fortunately) my email client (Yahoo mail) seems to have removed this link from the text, perhaps to combat such phishing attempts.

I'm not worried about being in danger myself, but I thought it would be good to create this question for people searching Google about this email today to learn about the validity of it or lack thereof.

The email reads:

Hello,

At Amazon we take your security and privacy very seriously. As part of our routine monitoring, we discovered a list of email addresses and passwords posted online. While the list was not Amazon-related, we know that many customers reuse their passwords on multiple websites. Since we believe your email addresses and passwords were on the list, we have assigned a temporary password to your Amazon.com account out of an abundance of caution.

You will need to reset your password when you return to the Amazon.com site. To reset your password, click "Your Account" at the top of any page on Amazon.com. On the Sign In page, click the "Forgot your password?" link to reach the Amazon.com Password Assistance page. After you enter your email or mobile phone number, you will receive an email containing a personalized link. Click the link from the email and follow the directions provided.

Your new password will be effective immediately. We recommend that you choose a password that you have never used with any website.

You can also enable Amazon's Two-Step Verification, a feature that adds an extra layer of security to your account. In addition to entering your password, Two-Step Verification requires you to enter a unique security code during sign in. To learn more about Two-Step Verification, go to Amazon.com Help, go to Managing Your Account, and click More in Managing Your Account, and then click More under Account Settings.

Sincerely,

Amazon.com http://www.amazon.com

This e-mail was sent from an address that cannot accept incoming e-mail. To contact us, please visit the Help section of our website.

A quick Google search of the first paragraph returns one article claiming the email is a valid security measure from Amazon, while the other claims it to be a phishing scam. Which is it?


One comment reports they contacted Amazon about the email and received this response:

Hello,

The e-mail/SMS message you received wasn't from Amazon.com. For your protection, do not respond to it, and do not open any attachments or click any links it contains.

We recommend that you send a new e-mail/SMS message and attach the e-mail/screenshot of the message you suspect is a fake, then send the e-mail to stop-spoofing@amazon.com.

However another comment claims:

My wife got this email also. I contacted amazon through my account and we were able to confirm that this was indeed really from amazon and that they did scramble passwords.

J.Todd
  • 1,300
  • 1
  • 10
  • 20
  • 8
    I don't really see how this could be a phishing scam since it's not linking to any phishing site or asking you to provide any account details to the sender. Looks like a perfectly legitimate security measure to me. – Ajedi32 Jun 15 '16 at 17:31
  • 1
    @Ajedi32 one of the articles reports that in his version of the email, everywhere Amazon.com was listed, Amazon.com was formatted as a link which someone might click rather than typing the address themselves. Its possible that my Yahoo email client removes such links to counter such phishing attempts. – J.Todd Jun 15 '16 at 17:37
  • 12
    When in doubt - go directly to Amazon's website and change the password from there. Then you can delete the e-mail, knowing that the worst-case scenario is you unnecessarily changed your password. – tonysdg Jun 15 '16 at 17:38
  • @tonysdg Right. I'm not worried about being in danger myself. This question is more about creating a reliable resource about this email searchable on Google where everyone else who got the email today might be able to learn whether its a phishing attempt or not. – J.Todd Jun 15 '16 at 17:41
  • 1
    If that's your goal, I suggest you to contact Amazon yourself, and once they reply, you could write what they told you as an answer. That being said, as @tonysdg says, one unnecessary password change won't hurt you. – A. Darwin Jun 15 '16 at 17:56
  • From my experience amazon.com mails have a DKIM signature. If you have a DKIM aware mail reader it should show you if the mail has a valid DKIM signature and then you can be sure it was sent by amazon, or at least using their mail server. – Steffen Ullrich Jun 15 '16 at 17:57
  • @SteffenUllrich There does appear to be a DKIM signature but I went ahead and called Amazon about this and the verified it was not a real Amazon email. `DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=eaxkvsyelrnxjh4cicqyjjmtjpetuwjx; d=amazon.com; t=1465968915; h=From:To:Message-ID:Subject:MIME-Version:Content-Type:Date; bh=6MBHnat6TXZGDjYr8xS+fQIKeGWNo2gEkiV7HI92Lgk=; b=GhJgCJCM6N1IksIdk3YMJAN01Rs/5i5Qo8V/DW/exZk/lv0n00lRSgx+H6GgJ0Cm 6VOi0o848HKD6ozzXuOrtw0NqRVHFUEG9/37yBfhYMW9nt5+fa3jqL4PaA4kqhsH52a 70SEPkxxhqZGjN4kmR2lLyYs9LWPo0Zmc0jdjx3I=` (...) – J.Todd Jun 15 '16 at 18:15
  • 3
    @Viziionary: a DKIM signature can only be verified against the full mail (the source code incl. all headers). Just the header is not enough since in this case it could be simply copied and reused. – Steffen Ullrich Jun 15 '16 at 19:04
  • I find the whole thing odd. Why would Amazon be searching around the Internet for lists of emails and passwords that are "non-Amazon related"? Would they really be investing the time in making the connection to Amazon customers? As others have also noted, would Amazon really send out a message with the subject line of "Your password has been changed" when it hasn't been? –  Sep 17 '16 at 13:09
  • Large clue: The first line of the e-mail is "Hello,", not "Hello Jim Viziionary" (fill in real name, of course). The sender doesn't know your name. Amazon would, and would include it in any correspondence. I'm voting for it as an incredibly clumsy fishing attempt--I got one today, but there's no link it it. – user1329482 Apr 11 '17 at 19:47

8 Answers8

7

I called Amazon and the representative verified that no such email had been sent by Amazon. This is may be a phishing attempt. The original email seems (according to other reports) to include link formatted "Amazon.com" text, which may be a link to a fake version of the site. I can't see this in mine, possibly due to a measure by Yahoo Mail to remove such link formatting to avoid phishing attempts like this.

Edit: As mentioned in comments, there could be a valid strand of this email and a duplicate malicious strand, with the false link formatting for phishing purposes.

Beware there are people claiming this is a legit email, while I can't 100% deny the possibility, I'm skeptical: It would be smart for the sender of phishing mail to write that it's a real email on related web pages such as this one. Also note that the directions in the email don't make sense. The title of the email is "Your password has been changed" - but my password was still active.


Update:

I commented skeptically toward answers here claiming the email was legitimate, however I might be pulling the trigger prematurely. My answer assumes:

  • The customer service rep I spoke to was fully informed.
  • No identical legitimate email had been copied in the past, or even in the past 24 hrs and false link formatted duplicates were sent out by a malicious user.

Both are possibilities to consider.

J.Todd
  • 1,300
  • 1
  • 10
  • 20
  • 11
    This assumes that customer support reps are never wrong, and are always fully informed. – Adam Shostack Jun 15 '16 at 22:07
  • 3
    @AdamShostack Interesting possibility but what about the fact that my password wasnt affected in any way? It seems doubtful that Amazon would send an email titled "Your password **has been** changed." If it indeed has not and Im able to login as usual without changing it. – J.Todd Jun 16 '16 at 17:52
  • Yes, that's the essence of my answer: see if your password is affected. – Adam Shostack Jun 16 '16 at 22:20
  • Is the fact that the like is `http` instead of `https` significant? I think GMail may automatically redirect to `https`, but perhaps some other e-mail programs don't and they are counting on the victim clicking on that link. – Jacob Bond Sep 19 '16 at 13:12
3

I'm going to say it's fake. If it's a real Amazon password reset demand, then you should be prompted to change your password at next login, not need to follow all those steps.

You can also check: does your old password work? Does the temporary password work? If no/yes, then it's real. If yes/no, then it's fake.

Adam Shostack
  • 2,659
  • 1
  • 10
  • 12
  • Do you think the user below (Ian X) claiming it's legit, verified through personal experience is of malicious intent, a troll, or possibly correct? – J.Todd Jun 17 '16 at 18:26
  • 3
    @Viziionary Any are possible; what he sees and what you see might be different. For example, its not uncommon for spammers who find a real email from a company to slightly modify it and then use that as the base for their email. So even if he's honestly presenting his experience that doesn't make the email in your inbox safe. – Adam Shostack Jun 17 '16 at 18:51
  • Answers are meant to be considered and justifiable, not "I bet" – paj28 Sep 14 '16 at 10:26
  • Edited; s/bet/say/ – Adam Shostack Sep 19 '16 at 23:36
3

I've just received a similar email and the email appears legit. I was searching for information on what list it would be to know what else might have been affected.

It has the right headers in authentication:

Received-SPF: pass (google.com: domain of 2016061614470736b293d09e3b4022b187117dcb50p0eu@bounces.amazon.co.uk designates 176.32.127.205 as permitted sender) client-ip=176.32.127.205;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@amazon.co.uk;
       dkim=pass header.i=@amazonses.com;
       spf=pass (google.com: domain of 2016061614470736b293d09e3b4022b187117dcb50p0eu@bounces.amazon.co.uk designates 176.32.127.205 as permitted sender) smtp.mailfrom=2016061614470736b293d09e3b4022b187117dcb50p0eu@bounces.amazon.co.uk;
       dmarc=pass (p=QUARANTINE dis=NONE) header.from=amazon.co.uk

The email is also text/plain, there's no links and other stuff so seems like it's legit.

My email was slightly different and had no link at the end:

Hello Manuel Sousa,

This is an important message from Amazon.

At Amazon we take your security and privacy very seriously. As part of our routine monitoring, we discovered a list of email address and password sets posted online. While the list was not Amazon-related, we know that many customers reuse their passwords on several websites. We believe your email address and password set was on that list. So we have taken the precaution of resetting your Amazon password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your Amazon account.

To regain access to your Amazon customer account:

1.  Go to Amazon and click the "Your Account" link at the top of our website.

2.  Click the link that says "Forgot your password?"

3.  Follow the instructions to set a new password for your account.

Please choose a new password and do not use the same password you used with us previously. We also highly recommend that you chose a password that you are not using on any other sites. We look forward to seeing you again soon.

Sincerely,

Amazon


Please note: this e-mail was sent from an address that cannot accept incoming e-mail. To contact us about an unrelated issue, please visit the Help section of our website.

Also, my password at amazon had been disabled and had to reset it.

Manuel Sousa
  • 147
  • 1
  • This is a 100% fake. If you need to "regain" access then how can you access your account to do those things? – J.Todd Jun 16 '16 at 17:58
  • 3
    When I accessed the account with my "old" settings a message showed them as invalid and prompted to reset password which i did following the normal steps. Notice that the email doesn't have any link, so i went to amazon as I normally do and then entered my user/password and then proceeded with the reset. – Manuel Sousa Jun 17 '16 at 09:23
  • Perhaps I pulled the trigger early on this. See the addition to my answer. I've removed my downvote. – J.Todd Jun 18 '16 at 16:41
  • 2
    Thx, here's a news article that claims both Amazon and Netflix have been sending these. http://www.dailydot.com/technology/amazon-netflix-password-change/. I just wished i knew what list it was... – Manuel Sousa Jun 20 '16 at 09:36
1

It's legit. I received the same email, and yes my Amazon password had been disabled.

To regain access I just followed the email's instructions, reset my password, and then I was in.

I reviewed my order history, but nothing was amiss .. but now I've also been checking all the "haveibeenpwned" type sites, and can't find any that actually say that my email appeared in any leak ... I wish I knew what it was that Amazon knew!

Ian X
  • 31
  • 1
1

There is some debate about whether the wording of the message is correct, however it is trivial to copy wording. Clues about the origin of the email and what it is trying to effect are in the header content and any interactive content in the email (I.e. URLs - do not attempt to open suspect attachments but do scan them for malware if you are confident you can do this safely).

Note that the text shown in a web link is NOT the same as what the link points to.

The claimed sender of the email should also know if the email is genuine or not, but make sure you forward the email to a known valid address, don't just reply!

Most legitimate organisations take an active interest in preventing phishing. Including the full headers will help them / most modern mail agents hide this information and strip it out from replies and forwards. Copy the original headers in your follow up email.

symcbean
  • 18,278
  • 39
  • 73
1

The correct answer to this depends on whether any links go to Amazon.com or elsewhere. There may be multiple versions of this email - some sent from Amazon, and some sent from scammers. Hovering the mouse over the links will verify their actual destination in a tooltip, or possibly in the status bar. Note that this only applies to emails displayed in webmail clients - general websites where the content owner has full control over scripting may run script to change the status or to change the URL when you mouseover any link.

If the links go to Amazon themselves, then you have nothing to worry about. The usual caveats apply - ensure the domain is actually Amazon's and make sure that HTTPS is used on any pages that ask for your password.

The best advice is to never follow links in emails and always type the address manually (or even use bookmarks for your important sites like banking and email).

You can also verify email headers and check for DKIM signing (make sure it includes the message body) and SPF. Only advanced users need worry about these, as mail servers should be keeping an eye on these headers anyway for their spam confidence scoring. Normal users can simply follow the advice above - even if they do change their password over a secure link, the attacker will have gained nothing.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
-1

I'm guessing this is fake as it came to an email address of mine that I'd never used or registered with Amazon before.

But if you want to be 100%, actually type in Amazon's url as opposed to clicking on the links in the email. At best, clicking on the links lets the sender know your email is active and you'll start getting more and more spam. And that's the BEST case scenario.

I'm just deleting it.

Haley
  • 11
-2

I'm going to guess the email is not legit. The actual URL for Amazon indicates it is a secure site. https.amazon.com The URL provided in the email is not secure - it shows http - without the s.

I would ignore the msaage. I know I am going to.

  • 1
    Having a link without SSL is no indication to a scam itself, as the attacker would need to perform a MITM attack to do anything with you clicking on it. An attacker with MITM capabilities wouldn't send out suspicious emails. – James Cameron Sep 19 '16 at 20:55