20 May 2025
Since late March 2025, IBM Security has been closely monitoring a sophisticated spear phishing campaign that primarily targets residents of France. The attack is designed to steal Amazon and Amazon Prime credentials and is particularly insidious due to its use of leaked personal data, which enhances its credibility and increases the likelihood of successful compromise.
- A phishing campaign has targeted users in France since at least the end of March 2025, and continues through mid-May 2025
- The campaign leverages personal data leaked from French Internet Service Provider “Free”, including name, addresses and detailed banking information, to produce a personalized, convincing and alarming message for the victims
- We have been monitoring 17 waves of the attack so far, showing that at least 160,000 victims have clicked on the phishing link during these waves alone
In October 2024, a significant data breach occurred affecting approximately 20 million French residents who are customers of a local ISP called Free. The leaked data, which included sensitive personal information (SPI), was sold on the dark web for around USD 175,000. Among the compromised data were the International Bank Account Number (IBAN) and Bank Identification Code (BIC) of 5 million victims. This dataset is now being exploited in a targeted spear phishing campaign.
Strengthen your security intelligence
Stay ahead of threats with news and insights on security, AI and more, weekly in the Think Newsletter.
The phishing emails inform recipients that their Amazon Prime subscription will automatically renew at a cost of 480 Euros per year. The emails contain personalized information such as the victim's IBAN, BIC, first name, last name and full address, making the message appear authentic.
The email includes a "cancel subscription" button, which links to a convincing replica of the Amazon Prime login page. When users enter their credentials in an attempt to cancel the subscription, their information is captured by the attackers. Some variations of the attack ask for the victims’ full credit card information, as shown below.
Our research indicates that there are currently (as of April 25, 2025) at least 17 active phishing campaigns linked to this incident, all hosted on the same backend server (same hosting IP, same behavior across 17 different instances) by the same threat actor. In the past month, over 160,000 victims (with more than 32,000 during the period between April 22nd through April 25th) have clicked on the malicious URL embedded in the phishing email. Almost all of the victims are located in France. Some of these campaigns are still active at the time of writing.
It looks like there are other victims around the world, however, these are likely account holders of French ISP “Free” living outside France or on holiday. It is worth mentioning that to open an account with that ISP, you need to provide a French mailing address.
It is interesting to analyze the evolution of the attack over time. At the end of March and early April, the phishing campaigns were already very effective, drawing hundreds or even thousands of victims per hour to malicious sites. However, visits to these phishing sites were still sporadic, with large gaps in activity between campaigns. As April 8th approached, we began to observe constant traffic to the phishing sites.
Fast forward to the end of April, we began seeing the move to constant hourly traffic. The traffic is so predictable during the time period between April 22 and April 24 that the night and day differences can be seen, with spikes in the morning and low traffic at night.
Recognize the signs of manipulation (urgency and unrealistic financial demands) before deciding to click on a link you receive, even if your data is contained in the message. If the reader clicked on the link that is part of this campaign, they need to immediately reset their Amazon credentials and monitor the activity on the credit card that is registered in their Amazon account.
Use Multi Factor Authentication (MFA) as often as you possibly can and use a password manager to generate unique and strong credentials for each account you have. The password manager will also help against phishing: It will not automatically fill in your credentials on a phishing site. Learn to recognize that as a red flag.
This spear phishing campaign illustrates a dangerous evolution in cyber crime, leveraging leaked personal data to increase the efficacy of social engineering tactics. As the digital landscape continues to evolve, it’s crucial for both organizations and individuals to stay vigilant and adapt their security measures accordingly.
We trust this article raises awareness of the effectiveness of spear phishing and how leaked data can be used to craft effective personalized messages in bulk.
IBM Security remains committed to tracking and analyzing emerging threats like this one to provide timely, actionable intelligence to help protect against cyber threats. Stay safe online.
To learn how IBM X-Force can help you with anything regarding cybersecurity, including incident response, threat intelligence or offensive security services, schedule a meeting here.
If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.