Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Reports about large number of fake Amazon order confirmations SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Reports about large number of fake Amazon order confirmations

A couple of readers wrote about a flood of fake Amazon.com order confirmations they are receiving. The e-mail claims to originate from Amazon.com, and attempts to trick the user into clicking on a link which will then lead to obfuscated JavaScript and malware.

This particular attack appears to be a new version of similar e-mails we have seen over the last week or so. The new version uses larger e-mail messages, which appear to be composed with Microsoft Word.

The text is still pretty concise. As a sample:

-----
Dear Customer,

Your order has been sucessfully confirmed. For your reference, here's a summary of your order:

You just confirmed order #2341-23483720-38123

Status: CONFIRMED

-----

At the end of the e-mail follows a link to a malware site, labeled "ORDER INFORMATION".

A number of different domains have been seen used so far.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Winter 2019

Johannes

3683 Posts
ISC Handler
I've been seeing these for about a week now.
Ron

29 Posts
Can anyone please provide information on sender or subject lines so that we can query our systems accordingly? Thanks in advance.
Anonymous
Can anyone please provide information on sender or subject lines so that we can query our systems accordingly? Thanks in advance.
Anonymous
Our system is mostly knocking these down by reputation, so we aren't getting the subject lines at all. Looking for mail "From" amazon.com but not from a source IP of Amazon's, the most common sender is "order-update@amazon.com", and the source IPs tend to be DSL or Comcast cable subscribers. We have been seeing theses since at least March 25.
A few with malware ZIP attachments have the subject "Shipping update for your Amazon.com order 254-71546325-658732".
A separate phishing run has the subject "Update your Amazon.com account information." and lots of Yahoo shortcut javascript junk in the message content.
Paul

44 Posts
We received several of these as well. The subject line for ours was "Amazon.com - Your Confirmation (7368-03699-1652726)" and it looked to come from order-update@amazon.com but when you replied, went to several different domains which varied by email.
Paul
1 Posts
From: order-update@amazon.com
Subject: Shipping update for your Amazon.com order 254-71546325-658732
Body: Shipping update for your Amazon.com order 254-78546325-658742
Please check the attachment and confirm your shipping details.

Attachment: Shipping documents.zip

Barracuda Spam Firewall detects this as Trojan.VB.8768
Others are being blocked by intent/reputation.
Paul
6 Posts
I am seeing a small number of the phishing spam that Paul reported earlier in the comments.

I am seeing zero of the spam which Johannes is describing, but perhaps that is because my MTA is very effective at keeping out zombies.
Andrew

41 Posts
We just saw a huge rash of these emails today. The source was generally internal due to a virus (fruspam). We were able to track down the sources of the infection by looking at the headers of the email.
Andrew
1 Posts
I've only seen one of these messages. I have to agree with Andrew that its most likely a case of a better-configured MTA. http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
Anonymous
We've seen a number of these since November of 09. For those interested here is the Threat Expert report from the analysis of "Shipping Documents.zip"

http://www.threatexpert.com/report.aspx?md5=bc1895e5a455fe39b2109dfc94fb9ab9
Anonymous
Paul, Andrew: Do share!

We've seen waves of this recently from Amazon, also Hardware.com. Thousands of attempts, hundreds of successful deliveries, and a few clickers. The delivering hosts look to be a botnet as many of the injects are from private subscriber lines from around the world.
Drew

3 Posts
I've been getting dozens of these "Amazon" mails a day on one address since before Christmas. Most of them are now being classed a junk by the site's filters.
Drew
2 Posts
Been receiving storms of this crud in spam folder for about two weeks, often two or three a day. Reported them as phishing in Hotmail but the keep coming unabated. Any way to make it quit?
Anonymous

Sign Up for Free or Log In to start participating in the conversation!