"Amazon: We've Received Your Request" Phishing Email Anaylsis

March 12, 2023, 5:51 a.m.

Got this email on tuesday. The usual grammar mistakes and fake email addresses:

This is the IP of the sending address found in the email headers:

Here is the redirect chain when you click the malicious link on the email. It uses the bit ly shorterner first:

Here I am routing my http request through privoxy and tor and you can see the bit ly shortener in action directing me to href[.]li and further to ddsl[.]me

on the second site it instantly redirects you to the third site:

The third site is the same and directs you to the final landing page at a spoof of amazon aws: manage[.]en-us-appusr[.]asupendo[.]com. You can see that there is a login form:

How the page looks:

A typical phishing attempt for your amazon credentials.