Seller-Performance Phishing Scam?

I received this email in my normal email account (not through Amazon messaging):

snipped.JPG623×743 89.2 KB

I am suspicious because they want me to respond to the message via standard email - upon which they will send me a LINK to"re-confirm" my account information. This could easily be a phishing email.

Sender: seller-performance@amazon.com <seller-performance@aws2-amazon.com>

Anyone else know if this is legitimate or not? I have had zero account problems in 7 years and I find it hard to believe Amazon has suddenly found an “issue” with it. Is aws2-amazon.com a real amazon domain or just made to look like one? A WHOIS search does not identify it’s owner.

My listings are fine, not suppressed.

Post the entire header if that is permissible by forum policy.

This is not a real Amazon domain. If it was, you would see Amazon as the domain owner when doing a WHOIS.

Return-Path: seller-performance@aws2-amazon.com
Delivered-To:xxx
Received: (qmail 26248 invoked by uid 507); 13 May 2019 21:50:55 -0000
Delivered-To: xxx
Received: (qmail 26222 invoked by uid 507); 13 May 2019 21:50:54 -0000
Received: from mail-ed1-f68.google.com (209.85.208.68)
by s460.sureserver.com with SMTP; 13 May 2019 21:50:54 -0000
Received: by mail-ed1-f68.google.com with SMTP id f37so19639441edb.13
for ; Mon, 13 May 2019 14:50:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=aws2-amazon-com.20150623.gappssmtp.com

definitely fishing scam

I agree. Also, the email header seems to identify the email as originating from a gmail account.

It’s a very good phishing attempt.

Spoofed email to a TLD (aws2-amazon) does not resolve to an Amazon redirect.

You can always take the TLD and paste it into a browser to see where it resolves.

The TLD in this case is the entire domain “aws2-amazon” which is false. If it was “aws2.amazon” with a “dot” preceding amazon, it might work but in this case there is no sub-domain “aws2” that is recognized by amazon DNS.

So yes, a phishing scam.

How did they even get your email in the first place?

Forward to: stop-spoofing@amazon.com
https://www.amazon.com/gp/help/customer/display.html?nodeId=201127830

Amazon does not REDACT FOR PRIVACY.

Updated Date: 2019-05-04 <<<<
Created Date: 2019-05-04 <<<<

ICANN WHOIS:

Screenshot_2019-05-14 ICANN WHOIS.png1735×3069 259 KB

Going around, came up yesterday.

Nice work guys showing the and reviewing details for those not so knowledgeable on these intrusions.

The wording in this message is terrible, made me cringe. Even for a not-native-English speaker like me it sounds scammy

It’s a better than average phishing email. The best proof is the fake email domain, as others have said, but it’s close enough to look valid at a glance. The first thing that popped out to me is the centered text, I doubt you will ever see that in any business communication.

I thought it sounded pretty good.

I agree – the dash gives it away.

I agree. The wording is very unprofessional!

SCAM!. I got one too.

All you need to do is look up the domain name on ICANN WHOIS, as shown in my post here, which clearly shows the domain was created and updated on May 4, 2019.

With the number of sellers reporting they’ve gotten this email, I’m more curious about how the spoofers are getting lists of sellers direct email addresses without working for Amazon. Oh, wait a minute…

That is a VERY good question.

Just confirm the information they need and you should be fine.