A phishing operation impersonating Amazon is being run like a growth-marketing campaign. The lure is an AI-generated landing page. The traffic is bought from Facebook. And the funnel is wired with Meta Pixels that feed Facebook's own algorithm a signal to go find more victims. It is credential theft with a conversion funnel bolted on.
The landing page sits on tktc1.amfreeapplicationcenter.help
and was built with Lovable, the AI "vibe-coding" site generator. The operator never scrubbed it. A leftover lovable.app
preview asset still sits in the source. The page itself is pure conversion optimization. It leads with "AMAZON HAS HIDDEN REFUND & DISCOUNT POLICIES" and manufactured urgency ("Check now before it expires"). It lists refund tiers: a $500 order gets $100 back, a $1,200 order gets $260, tagged "MOST COMMON." It runs a scrolling wall of five-star testimonials with names, cities, and dollar amounts (Lisa B., Seattle, $471 refunded). It stamps itself "Officially Authorized by Amazon" and lines the footer with SSL Encrypted, Privacy Protected, and Refund Guarantee badges. Every element is a standard growth-marketing trick aimed at one conversion: a tap on "Check My Eligibility."
That traffic is bought. Victims arrive from a paid Facebook ad, opened inside the Facebook in-app browser, and the landing page carries twelve Meta Pixels. When the victim taps through, the page fires an AddToCart
conversion to all twelve before redirecting. This is the growth team's sharpest move. AddToCart
is a standard optimization signal, and Meta's delivery algorithm uses it to find more people likely to take that action. By reporting a fake conversion on every click, the operator turns Facebook's ad engine into a victim-targeting system, paying by the click to reach people who behave like marks.
The redirect lands on amzaonac.eu.cc
, a typosquat of "amazon," serving a pixel-perfect clone of Amazon's sign-in. It is an adversary-in-the-middle kit, a Vue app behind Cloudflare. Before rendering it calls /api/precheck
and /api/ja3/echo
to fingerprint the visitor's device and TLS stack, plus /api/blacklist/check
to screen out scanners. Anything that isn't a U.S. iPhone arriving from the ad gets nothing. The kit then runs a server-driven sign-in over a WebSocket, walking the visitor through email, password, and a one-time code and relaying each to the operator's backend, which replays them against Amazon's real login in real time. Email one-time codes are no obstacle. The kit requests the code, the visitor enters it, and the relay passes it straight through.
The whole funnel is built to be seen only by its targets. The landing page sets noarchive
and blocks search, SEO, and AI crawlers by name: GPTBot
, CCBot
, Bytespider
, ClaudeBot
. A scanner from a data center gets a decoy or a block. As of this writing both the lure and the kit are still live and serving on mobile, even after Google Safe Browsing flagged the lure in Chrome.
It also gets past the defense most users think protects them. A relay forwards whatever the victim types, so a one-time code is relayable whether it arrives by SMS, by email, or from an authenticator app. All three are secrets the user reads and retypes, with the attacker standing in the middle to catch them. The one credential that breaks the relay is the one the user cannot retype. A passkey or hardware security key signs a challenge bound to the real amazon.com
, will not even offer itself on the phishing origin, and hands the relay nothing it can forward. Everything short of that, this campaign gets through.
Indicators
- Lure:
tktc1.amfreeapplicationcenter.help
(Lovable-built; Safe-Browsing-flagged, still live) - Kit:
amzaonac.eu.cc
("amazon" typosquat). Endpoints:/api/precheck
,/api/ja3/echo
,/api/blacklist/check
,/api/session/ws
- Distribution: Meta paid ads; 12 Meta Pixel IDs firing
AddToCart
on click - Crawler block:
noindex/noarchive
naming GPTBot, CCBot, Bytespider, anthropic-ai, ClaudeBot