RSA Exclusive: Try new products, meet our executive team, and see VIP guests you won't find anywhere else.

November 20, 2014

Black Friday Themed Amazon Voucher Scam

Xue Yang

The Websense®  ThreatSeeker® Intelligence Cloud has detected Amazon voucher scams using Black Friday Gift Card themes as a lure. We have observed a surge of over 20,000 spam emails with the subject of "Amazon Black Friday Gift Card #XXXXXXXXX" since Thursday 20th November (where "X" signifies the use of random digits in the email subject).

As Thanksgiving Day is just around the corner, the shopping season is also here, and it appears that cybercriminals are going to take full advantage of this chance to spread spam scams and increase their illegal revenues, utilizing well-known, and trusted, brands such as Amazon.

Executive Summary

  • When a user clicks on "Activate My Rewards", it will redirect them to a survey page which advertises a reward for filling out the survey.
  • Users are encouraged to submit their personal information.
  • The pages were designed to serve different language versions according to the victim's geographical location.

Websense customers are protected from this threat by ACE, our Advanced Classification Engine, at the following stages of the attack:

  • Stage 2 (Lure) - ACE has detection for the email lures & the URLs used in these lures.
  • Stage 3 (Redirect) - ACE has detection for the redirect pattern that occurs if a user visits one of these URLs, and for the survey scam pages themselves.

One email sample with this Amazon theme:

Amazon Scam

The links in this email campaign have a common pattern:


Chinese-based version:


US-based version:


After the victim completes the survey steps, it finally asks them to select a reward. However, you have to fill out personal information in order to do so. Obviously there is no free voucher at all, and the survey here blatantly engages in illegal methods to advertise and generate traffic to a web site that earns the cybercriminal money.


Thus, this is the true nature of the scam. The aim of the lure is to generate revenue as part of a Cost Per Action (CPA) lead scam. This a technique that we have been tracking for some time, as our previous blogs show.


CPA style scams that leverage the reputation of popular companies like Amazon and use topical themes to fool their victims remain common amongst cybercriminals, providing a quick and easy way for them to generate revenue. While these campaigns are usually not malicious by nature they pose a significant risk to users who may give out personal information, making them a more viable target for future attacks.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.