Man-in-the-middle phishing scheme targets Amazon.com

Amazon.com is the latest target of a new wave of phishing schemes known as man-in-the-middle attacks. Washington Post reporter Brian Krebs reported today on his Security Fix blog that hackers have created a bogus site meant to dupe users of the popular online retailer into giving up their login information.

Volunteer-based security and privacy website Castlecops.com alerted Krebs about the attack, which begins with an email message asking users to update their account credentials because Amazon.com has detected unauthorized activity.

Unsuspecting email recipients who follow the link are brought to a bogus login page that resembles the real thing but communicates between the user's PC and the legitimate Amazon site. The attacks - a similar one hit Citibank this summer - are particularly dangerous because neither party knows they are happening, experts said.

The trick is further legitimized when users enter the wrong login information. They are shown the usual page that appears when incorrect usernames and passwords are entered on the real Amazon site.