My next class:

Reports about large number of fake Amazon order confirmations

Published: 2010-03-03. Last Updated: 2010-03-03 17:28:42 UTC
by Johannes Ullrich (Version: 1)
13 comment(s)

A couple of readers wrote about a flood of fake Amazon.com order confirmations they are receiving. The e-mail claims to originate from Amazon.com, and attempts to trick the user into clicking on a link which will then lead to obfuscated JavaScript and malware.

This particular attack appears to be a new version of similar e-mails we have seen over the last week or so. The new version uses larger e-mail messages, which appear to be composed with Microsoft Word.

The text is still pretty concise. As a sample:

-----
Dear Customer,

Your order has been sucessfully confirmed. For your reference, here's a summary of your order:

You just confirmed order #2341-23483720-38123

Status: CONFIRMED

-----

At the end of the e-mail follows a link to a malware site, labeled "ORDER INFORMATION".

A number of different domains have been seen used so far.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: amazon malware
13 comment(s)
My next class:

Comments

I've been seeing these for about a week now.

Ron

Mar 3rd 2010
1 decade ago

Can anyone please provide information on sender or subject lines so that we can query our systems accordingly? Thanks in advance.

Analyst

Mar 3rd 2010
1 decade ago

Can anyone please provide information on sender or subject lines so that we can query our systems accordingly? Thanks in advance.

Analyst

Mar 3rd 2010
1 decade ago

Our system is mostly knocking these down by reputation, so we aren't getting the subject lines at all. Looking for mail "From" amazon.com but not from a source IP of Amazon's, the most common sender is "order-update@amazon.com", and the source IPs tend to be DSL or Comcast cable subscribers. We have been seeing theses since at least March 25.
A few with malware ZIP attachments have the subject "Shipping update for your Amazon.com order 254-71546325-658732".
A separate phishing run has the subject "Update your Amazon.com account information." and lots of Yahoo shortcut javascript junk in the message content.

Paul

Mar 3rd 2010
1 decade ago

We received several of these as well. The subject line for ours was "Amazon.com - Your Confirmation (7368-03699-1652726)" and it looked to come from order-update@amazon.com but when you replied, went to several different domains which varied by email.

Amy

Mar 3rd 2010
1 decade ago

From: order-update@amazon.com
Subject: Shipping update for your Amazon.com order 254-71546325-658732
Body: Shipping update for your Amazon.com order 254-78546325-658742
Please check the attachment and confirm your shipping details.

Attachment: Shipping documents.zip

Barracuda Spam Firewall detects this as Trojan.VB.8768
Others are being blocked by intent/reputation.

phishphreek

Mar 3rd 2010
1 decade ago

I am seeing a small number of the phishing spam that Paul reported earlier in the comments.

I am seeing zero of the spam which Johannes is describing, but perhaps that is because my MTA is very effective at keeping out zombies.

Andrew from Vancouver

Mar 3rd 2010
1 decade ago

We just saw a huge rash of these emails today. The source was generally internal due to a virus (fruspam). We were able to track down the sources of the infection by looking at the headers of the email.

Joshua from Utah

Mar 4th 2010
1 decade ago

I've only seen one of these messages. I have to agree with Andrew that its most likely a case of a better-configured MTA. http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt

joeblow

Mar 4th 2010
1 decade ago

We've seen a number of these since November of 09. For those interested here is the Threat Expert report from the analysis of "Shipping Documents.zip"

http://www.threatexpert.com/report.aspx?md5=bc1895e5a455fe39b2109dfc94fb9ab9

Lagato

Mar 4th 2010
1 decade ago

Login here to join the discussion.


Top of page
Diary Archives