phishing email URL breakdown
My mom got a phishing (or malware) email made to appear like it was sent from Amazon:
The rest of the email looks like a normal Amazon email (although I don't have a real one to compare against). There are several obvious indications that the email is fake: an empty subject line, a non-amazon sender email even though it is shown as name "prime@amazon.com", and it only including an email address, not a name, in the "To" section and greeting.
The link provided in the email for updating her payment information is what I find curious. It is in this format:
https://mobile.mail.yahoo.com/apps/affiliateRouter?brandUrl=https%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpcs%2Fclick%3F
followed by a bunch of characters and some other parameters at the end.
I asked MS Copilot about the URL and it provided the following details.
Your Prime membership is renewing on Thu, June 26, 2025. However, we noticed that your default payment method for your membership is no longer valid.
To avoid losing your benefits, we'll try charging other active payment methods associated with your Amazon account. If we can't process the charge for your membership fee, your Prime benefits will be suspended.
Thank you,
Amazon Customer Service
The rest of the email looks like a normal Amazon email (although I don't have a real one to compare against). There are several obvious indications that the email is fake: an empty subject line, a non-amazon sender email even though it is shown as name "prime@amazon.com", and it only including an email address, not a name, in the "To" section and greeting.
The link provided in the email for updating her payment information is what I find curious. It is in this format:
https://mobile.mail.yahoo.com/apps/affiliateRouter?brandUrl=https%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpcs%2Fclick%3F
followed by a bunch of characters and some other parameters at the end.
I asked MS Copilot about the URL and it provided the following details.
The base domain is mobile.mail.yahoo.com, which is a real Yahoo domain. But the key is in the query parameters — especially brandUrl and adurl.
The brandUrl parameter encodes a redirect to a Google Ads click tracker (googleads.g.doubleclick.net), which itself contains another redirect via adurl=... to a suspicious final destination: ....
This kind of multi-layered redirect is a classic phishing tactic. It uses trusted domains as intermediaries to:
Evade spam filters and security scanners.
Trick users into thinking the link is safe.
Obfuscate the final destination, which may host malware or a credential-harvesting page.
Everything after the ? is a query string made up of key=value pairs separated by &.
brandUrl: This is a URL-encoded link to a Google Ads click tracker (googleads.g.doubleclick.net). It contains its own nested parameters like xai, sai, sig, and adurl, which are used for ad tracking and redirection.
appName=YMailNorrin: Likely identifies the Yahoo Mail app variant or interface being used.
partner=1: Could indicate a specific affiliate or partner ID — possibly used for tracking referral traffic.
locale=1: Might refer to a language or region setting, though 1 is a bit ambiguous.
buckets=6oDiyy...: This is probably a session or experiment bucket ID — used for A/B testing or feature rollout tracking.
fbs_aeid=[gw_fbsaeid]: This is a Facebook Ads tracking parameter — possibly spoofed or copied to mimic legitimate ad traffic.
adurl (appears twice): This is the final redirect destination — in this case, a suspicious .pe domain. That’s the real payload of the phishing attempt.
This URL is a layered redirect trap:
Starts with a legit Yahoo domain.
Redirects through Google Ads infrastructure.
Ends at a potentially malicious .pe domain.
