Is it possible that InBox Actions are being used to phish Amazon customers?

496 views Asked by At

I've just encountered some weird behavior in Gmail that looks like some new kind of phishing attack. I got a couple shipment confirmations from Amazon today and there are these "Track Package" buttons (also I see "View Order" buttons on order confirmations) but when I click on them the page that gets opened is clearly not the correct shipper's web site.

grab of inbox showing buttons in subjects

Which looks fine but clicking on those buttons lead to bad pages. For example one of them goes to http://websro.correios.com.br. On the other it goes to USPS.com while the actual shipper (and correct link in the email body) goes to UPS.com.

I've looked at the source of the email and it all looks fine. There are no SCRIPT tags of any kind and no bogus links anywhere in the text (by which I also mean the HTML). The problem appears the same in Safari (6.1.1) and Chrome (31.0.1650.63). It looks normal in Mail (both Mountain Lion and iOS 5).

I couldn't figure out how such a button could get there and I found this feature for adding "registered" script actions to Gmail which is the only thing I can imagine would affect both Safari and Chrome.

1

There are 1 answers

0
Claudio Cherubino On

When an order confirmation or parcel delivery email doesn't contain the necessary microdata to trigger the action, Gmail can still try to automatically extract the same information and show the button to the user as if the microdata was present.

Clearly this approach is less accurate than the one that relies on microdata, and it seems that in your case something went wrong with the automatic parsing.

No need to be worried about phishing though, as actions only show up for registered senders.