Big Discounts, Big Scams: Amazon and Flipkart Customers in the Crosshairs

As the biggest sale of the season approaches, online shoppers need to be extra careful. Scammers are cloning popular e-commerce sites like Amazon and Flipkart in a bid to steal your money. These fake sites often look exactly like the real thing, tricking unsuspecting users into entering payment and their personal information.

Especially when it comes to online shopping, Amazon and Flipkart reign supreme as global giants, gaining the trust and preference of customers all over the world, including India. However, their immense popularity also makes them a prime target for hackers and scammers who create fake versions of these websites to scam customers.

According to an Israeli cybersecurity solutions provider, Check Point Software TechnologiesIn June 2024, there were approximately 1,230 domains associated with Amazon. In addition, 85% of the links were flagged as malicious or suspicious. In addition, 1 in 80 new Amazon-related domains identified as malicious or suspicious contain the phrase “Amazon Prime.”

Besides, the India Today Open Source Intelligence (OSINT) team investigated the matter further by conducting a reverse domain search on Flipkart, there were over 3000 websites that used flipkart in their domain name. A closer look revealed that out of the 100 websites, around 20 websites were directing users to gambling websites with the name “Joya(.)casino”. The gambling website, which was registered in February last year, claims to have a license from the government of Curacao, a Dutch island in the Caribbean. Also, some of the domain names using flipkart in their domain name are flipkart(.)gift, flipkart(.)cricket, flipkart(.)desi and flipkart(.)delivery, which can easily confuse any buyer.

In one pattern, searches for the help section of shopping sites led to fake domains whose name appeared to be real. One such site, called “flipkart(.)help,” appears to be a complaint or help site associated with Flipkart, but in reality redirects to a gambling site.

Reports suggest that Amazon is approaching Amazon Prime Day on July 16-17, 2024 worldwide and in India on July 20-21, 2024, which is not only attracting regular users but also drawing the attention of hackers. These hackers aim to breach user privacy and personal data through phishing sites that imitate legitimate sites but are actually malicious.

During last year’s Prime Day sale, Amazon sold over 375 million products, saving customers $2.5 billion across millions of deals on the Amazon store. This year’s event is also highly anticipated by Prime Day shoppers. However, scammers have taken advantage of this busy period to launch phishing attacks aimed at stealing personal and financial information.

Attachments or links to fake websites, cloned to resemble the homepages of trusted sites, are distributed to targeted users via email or social media. For example, Amazon-onboarding(.)com, registered on June 1, spoofed the Amazon login page to specifically target credentials related to the carrier. Reports highlight incidents in the United States, where fake emails containing PDF attachments claim that Amazon users’ accounts are suspended due to billing issues. Recipients are then tricked into clicking a phishing link that takes them to the fake site to update their payment details.

Last year, a similar incident was reported where cybercriminals used the Diwali holiday to lure users to phishing and gambling sites, using sneaky tactics like typosquatting to make their fake sites look legitimate. For example, they changed “shop(.)com” to “shoop(.)xyz” – same look, same content, just to trick users.

To help online shoppers stay safe, researchers recommend several practical security measures. The first step is to check URLs for spelling errors or unknown top-level domains, a common tactic used by malicious sites to trick users.

Consumers should ensure that their passwords are strong and unique for each site, offering strong protection against unauthorized access. HTTPS protocol and the padlock icon in site URLs must be confirmed to ensure secure connections when sharing personal information. Extreme caution should be exercised with emails, especially those that urge immediate action or offer unrealistically good deals, as these are often phishing attempts.

Finally, it is recommended to use credit cards instead of debit cards for online purchases to benefit from better fraud protection and reduced liability. These precautions can significantly reduce the risk of becoming a victim of online fraud and provide a safer shopping experience.