Amazon Developer Invitation Used in TOAD Scam to Initiate Phone-Based Fraud
Legitimate Amazon Developer invitation emails are abused to trigger phone-based scams leading to credential theft and account takeover.
Attack Overview
Step 1: Legitimate Amazon Developer Program Invitation Sent to Target
- Target receives an invitation email to join an Amazon Developer account generated through Amazon’s legitimate Developer Program workflow
- Email originates from authentic Amazon infrastructure and includes legitimate AWS URLs
- Message appears as a trusted developer account invitation and may include language referencing account charges or account access requests
Step 2: Email Encourages Phone-Based Engagement to Initiate Scam
- Attack relies on Telephone-Oriented Attack Delivery (TOAD), shifting the malicious activity from email into a phone conversation
- Targets are encouraged to contact attackers posing as Amazon representatives via phone
- Phone interaction is used to build trust and move targets into follow-on social engineering activity
Step 3: Social Engineering Conducted Over Phone to Achieve Fraud Objectives
- Attackers likely attempt refund fraud during phone engagement
- Attackers may attempt to convince targets to install remote-access tools or disclose credentials and MFA details
- Successful execution can lead to device compromise or account takeover
How Does This Attack Bypass Traditional Email Defenses?
- Attack uses Telephone-Oriented Attack Delivery (TOAD), meaning the malicious activity occurs outside the email channel, preventing link scanning, attachment inspection, and sandboxing from detecting malicious payloads
- Email is generated through Amazon’s legitimate Developer Program workflow and sent from trusted infrastructure using real AWS URLs
- Email functions as a trusted, payload-less lure that does not contain traditional malware or phishing links
For these reasons, traditional security solutions, such as legacy secure email gateways (SEGs), would be less likely to flag this email as a threat.
How Did Abnormal Detect This Attack?
- Behavioral AI identifies never-before-seen senders and unusual communication patterns inconsistent with expected recipient behavior
- Detection of unusual email content and messaging patterns associated with financial or account-related urgency
- Natural language processing recognizes social engineering indicators that deviate from legitimate developer program communication norms
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal AI’s system might include proprietary techniques and methodologies not disclosed here.
Analysis Overview
Attack Type: Credential Vishing
Vector: Text-based
Goal: Credential Theft
Theme: Fake Payment
Impersonated Party: Brand