A sophisticated phishing campaign targeting Amazon Prime users has emerged, leveraging counterfeit renewal notifications to harvest login credentials, payment details, and personal verification data. Discovered by the Cofense Phishing Defense Center (PDC) on February 18, 2025, the attack employs multi-stage deception tactics, including spoofed emails, fake security alerts, and fraudulent payment portals mimicking Amazon’s official interfaces.
Researchers at Cofense noted the campaign’s technical execution reveals advanced social engineering strategies. Threat actors exploited Google Docs redirects and QR code-based payloads to bypass automated security filters. The attack begins with a spoofed email masquerading as an Amazon Prime renewal notice, warning recipients about invalid payment methods and urging immediate action via an “Update Information” button. While the sender’s display name, “Prime Notification,” appears legitimate, the originating domain uses a lesser-known URL, which is a red flag.
Clicking the button redirects users to a fake Amazon security portal hosted on Google Docs, requesting account verification under the pretext of preventing unauthorized access. This intermediate page primes victims for credential theft by mimicking Amazon’s security protocols. Users are then directed to counterfeit login pages capturing usernames and passwords. Unlike generic phishing sites, this campaign employs dynamic HTML injection to replicate Amazon’s multi-factor authentication (MFA) interface, complete with CSS stylesheets and JavaScript validation scripts.
After harvesting credentials, the attack escalates to data exfiltration as victims are prompted to “confirm their identity” by submitting personal information such as their mother’s maiden name, date of birth, and phone number—details often used for account recovery. A subsequent page requests billing addresses, enabling threat actors to reroute physical mail or execute identity theft. The final stages capture full credit card details, including CVV codes, through counterfeit payment portals.
The campaign’s infrastructure relies on decentralized hosting, with phishing pages distributed across Google Docs, QR code generators, and compromised domains, complicate URL analysis for both users and automated scanners. Amazon has reiterated its legitimate communications will never direct users to third-party platforms like Google Docs. Users are advised to manually navigate to Amazon’s official site to verify account statuses.
Organizations should deploy email security solutions capable of detecting domain spoofing and inspect embedded links for redirect chains. Enabling multi-factor authentication (MFA) remains critically important, as stolen credentials alone cannot compromise accounts with hardware-based authentication. This campaign highlights the persistent threat of phishing-as-a-service (PhaaS) platforms, which enable even low-skilled actors to deploy complex attacks. Continuous user education and proactive threat hunting are fundamental to addressing these ever-evolving tactics.
Meanwhile, for the second time since the beginning of 2025, there has been a significant addition of compromised login credentials extracted from infostealer logs to the database powering HaveIBeenPwned (HIBP), the breach notification service. Troy Hunt, the creator of HIBP, announced the latest update included 284 million unique email addresses and 244 million previously unreported passwords. This follows the earlier addition of 71 million email records just the prior month.
With the explosion of infostealer infections throughout 2024, Hunt has also started incorporating account credentials scraped from infostealer logs and shared on Telegram—a platform noted for its ease of publishing large volumes of data anonymously. This latest dump, named ALIEN TXTBASE after the Telegram channel from where it was obtained, signifies the magnitude of the threat posed by infostealers.
The rise of infostealers marks them as significant tools for attackers aiming to infiltrate organizations. These malicious programs are disseminated through various channels, including phishing emails, social media, and malicious advertisements, making them increasingly prevalent. Despite efforts by law enforcement to disrupt these operations, the infostealer threat remains prevalent and damaging.
Individual users who have signed up for notifications from HIBP will be alerted if their email addresses appear in the database dump. All others are encouraged to check manually via the HIBP website and to sign up for future notifications. The HIBP service now offers APIs for organizations wanting to monitor their users’ compromised accounts easily.
Preventive measures cannot be emphasized enough; organizations and individuals must stay vigilant against phishing attempts and prioritize security. Users are encouraged to use strong passwords, remain cautious when receiving unsolicited emails, and always verify the legitimacy of communications they receive, particularly those prompting them for personal information.
With the rise of compromised credentials due to relentless phishing tactics and infostealers, it is imperative for everyone to be aware and proactive about their online security to minimize the risks associated with compromised login information.