go to sections menu

A possible fraudster posing as amazon on the loose from blog The Technology blog and podcast

This is for the technology blog and podcast Commentary, articles, and podcasts

header picture for Ingegno theme

You are here: security news and commentary > A possible fraudster posing as amazon on the loose

Go to Homepage, contents or to navigation menu

sections menu

fine menu sezioni pagina

A possible fraudster posing as amazon on the loose

Hello folks,

Today, I got yet another call and email from someone claiming to be an account manager at Amazon. The phone number is a 204 telephone number That number iis: +1 204-515-6163 which belongs to Canada.

Here are the headers of the message I get.

Return-Path:
prvs=3706eb91e=znaahmed@amazon.com
Delivered-To:

Received: from cp1-daltx.nocwest.net
    by cp1-daltx.nocwest.net with LMTP
    id YHX3IyLMwWM/GAAAcL4iug
    (envelope-from
prvs=3706eb91e=znaahmed@amazon.com)

    for
jared@personal.jaredrimer.net
; Fri, 13 Jan 2023 16:24:50 -0500
Return-path:
prvs=3706eb91e=znaahmed@amazon.com
Envelope-to:

Delivery-date: Fri, 13 Jan 2023 16:24:50 -0500
Received: from smtp-fw-33001.amazon.com ([207.171.190.10]:21944)
    by cp1-daltx.nocwest.net with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (Exim 4.96)
    (envelope-from
prvs=3706eb91e=znaahmed@amazon.com)

    id 1pGRXg-0001fp-1j
    for

;
    Fri, 13 Jan 2023 16:24:50 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=amazon.com;
i=@amazon.com
; q=dns/txt; s=amazon201209;
  t=1673645089; x=1705181089;
  h=from:to:subject:date:message-id:mime-version;
  bh=1i0fnNhg8UFsIxYrYxKnZvkvXGSalzmivrtSmAol8CA=;
  b=ajG1BxJsdvYKlp0arQZbIrwRqBTDwJW2HR1jPA8axoqJKiZKrdbZxFe9
   SSf9i7fadCXpwFIyy6dKtYRVOHFzF7V7dnYM3k5tSdQAf6F+LkO7kteuz
   CbGPCs0nJUAzWKIDmAJhdgnF/Y/74czdwDca+RjvtKU1vljf1a6NY4zaq
   U=;
X-Amazon-filename: image001.png
X-IronPort-AV: E=Sophos;i=”5.97,214,1669075200″;
   d=”png’150?scan’150,208,217,150″;a=”255036661″
Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-iad-1d-m6i4x-b404fda3.us-east-1.amazon.com) ([10.43.8.6])
  by smtp-border-fw-33001.sea14.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Jan 2023 21:24:02 +0000
Received: from EX13MTAUWB001.ant.amazon.com (iad12-ws-svc-p26-lb9-vlan3.iad.amazon.com [10.40.163.38])
    by email-inbound-relay-iad-1d-m6i4x-b404fda3.us-east-1.amazon.com (Postfix) with ESMTPS id F20FD83140
    for
jared@personal.jaredrimer.net
; Fri, 13 Jan 2023 21:24:01 +0000 (UTC)
Received: from EX19D001UWA004.ant.amazon.com (10.13.138.251) by
 EX13MTAUWB001.ant.amazon.com (10.43.161.207) with Microsoft SMTP Server (TLS)
 id 15.0.1497.45; Fri, 13 Jan 2023 21:24:01 +0000
Received: from EX19D001UWA004.ant.amazon.com (10.13.138.251) by
 EX19D001UWA004.ant.amazon.com (10.13.138.251) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1118.7;
 Fri, 13 Jan 2023 21:24:01 +0000
Received: from EX19D001UWA004.ant.amazon.com ([fe80::2a53:56d5:307c:7d5]) by
 EX19D001UWA004.ant.amazon.com ([fe80::2a53:56d5:307c:7d5%5]) with mapi id
 15.02.1118.020; Fri, 13 Jan 2023 21:24:01 +0000
From: “Nasser, Ahmed [C]”
znaahmed@amazon.com
To:

jared@personal.jaredrimer.net
Subject: Amazon Business
Thread-Topic: Amazon Business
Thread-Index: AdknlVrsCU59DjAszkO0V7StRi4lpA==
Date: Fri, 13 Jan 2023 21:24:01 +0000
Message-ID:
<>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.197.94.146]
Content-Type: multipart/related;
    boundary=”004_222324030813470790d1510920740662amazoncom“;
    type=”multipart/alternative”
MIME-Version: 1.0
Precedence: Bulk
X-Spam-Status: No, score=-9.6
X-Spam-Score: -95
X-Spam-Bar: ———
X-Ham-Report: Spam detection software, running on the system “cp1-daltx.nocwest.net”,
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 Content preview:  Hello , My name is Ahmed , account manager from Amazon Business.
    I am contacting you today because you are currently using a Consumer account
    which only allows you to purchase at retail prices.
 Content analysis details:   (-9.6 points, 5.0 required)
  pts rule name              description
 —- ———————- ————————————————–
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                             [score: 0.0000]
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was
                             blocked.  See

http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                              for more information.
                             [URIs: amazon.fr]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -7.5 USER_IN_DEF_SPF_WL     From: address is in the default SPF
                             welcome-list
  0.0 HTML_MESSAGE           BODY: HTML included in message
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily
                             valid
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
                             envelope-from domain
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
                             author’s domain
 -0.0 DKIMWL_WL_HIGH         DKIMwl.org – High trust sender
X-Spam-Flag: NO

According to the Abuse IP database the IP 207.171.190.10
does belong to Amazon and is being used as an transit IP.

If you look at the DKIM section of the headers, it indicate that it is not signed.

  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily
                             valid

While portions of the header indicate that it is valid, one portion shows amazon.fr, possibly another branch of amazon.

This gentleman is offering me Amazon Business. I get Email that greets me by name and talks about Amazon business, but i’ve not taken advantage of it because I don’t have an interest in it.

This email is a general greeting of Hello. He introduces himself and offers the service.

The HTML message for bullet points is spaced.

The link within the message at the end when using shft+f1 or context key, copy link shows a safe link that points to amazon.fr which again is a possible branch of amazon, yet there is something about the mail that is unsigned.

The final piece that I’m going to give you is the last line of the email. It says: znaahmed@amazonco

Now that, isn’t a valid email address! If you were a valid address, you’d put your address in correctly, now wouldn’t you?

Take a look at this, contact amazon and urge them to do something about this type of abuse. Don’t answer calls with this number. I did, was very courteous, yet I now get more phone calls. I believe this gentleman is not an Amazon employee and has taled on their network.

I’ve also sent this to Phishlabs for their review. I probably won’t get a response, but that is OK. I don’t need one. Let the comments begin.

Informazioni sull'articolo

A possible fraudster posing as amazon on the loose was released on January 13, 2023 at 4:00 pm by tech in security news and commentary.
Last modified: January 13, 2023.

Comments (2)

  1. Comment by tech date 14 January 2023 alle 13:55 (),

    Shaun,

    I will not engague with outside parties to deal with potential scammers. You are not aware that this is not the first time this person has contacted me. Amazon is aware of the situation and has documented information that I have given them. Things have been confirmed as of the call I made after posting this, and an investigation within the company will commense.

    Wile it is probably fun for people to have other people contact scammers, verification using tools verifies it was sent by Amazon servers. I’m sorry, but this comment, while it could be helpful for fun purposes, doesn’t solve the overall problem and will probably not help in this case.

    I can’t verify if the phone number is a valid phone number or a phone number used for outbound calls, but i have done verification of email which might not look good if the person is engaging in behavior Amazon condones if in fact they are an employee. I’m unclear if I am going to bring it up on TSB or not, but Amazon replied via twitter to lend assistance and provided me steps to get in touch with them via twitter.

    Companies are monitoring for their name and brand now. We must be caucious on how we proceed. I do like the idea of contacting folks, but I get so much spam at jaredrimer.net that seems clearly spam that there is no phone number or other method for those. But this, is a different case I’m afraid.

  2. Comment by crashmaster date 14 January 2023 alle 12:46 (),

    have you tried to forward this to ?

    The channel doesn’t get as much love as it once has and these guys aren’t the highest guys exactly but they have been in the business of taking em down or just playing round.
    From what they share, etc they appear to have a wide network of baters some that don’t broadcast but some new faces on the system.
    They have virtual machines, I think vpns and some network security at least they seem to be able to handle things.
    They even have a dedicated number for spammers to get them and will accept other things.
    I once had them let themselves right in and get the scammer to send a load of data for payment, etc.
    Obviously they have their limit and do have to access other databases but they do enjoy murdering scammers and well they are australian so my neighbours if not cussins at least.
    So yeah they exist.

Leave a comment

You must be logged in to post a comment.

go to sections menu

navigation menu

go to sections menu