|
A couple of readers wrote about a flood of fake Amazon.com order confirmations they are receiving. The e-mail claims to originate from Amazon.com, and attempts to trick the user into clicking on a link which will then lead to obfuscated JavaScript and malware. This particular attack appears to be a new version of similar e-mails we have seen over the last week or so. The new version uses larger e-mail messages, which appear to be composed with Microsoft Word. The text is still pretty concise. As a sample: ----- Dear Customer, Your order has been sucessfully confirmed. For your reference, here's a summary of your order: You just confirmed order #2341-23483720-38123 Status: CONFIRMED ----- At the end of the e-mail follows a link to a malware site, labeled "ORDER INFORMATION". A number of different domains have been seen used so far. ------ |
Johannes 4504 Posts ISC Handler Mar 3rd 2010 |
| Thread locked Subscribe |
Mar 3rd 2010 1 decade ago |
|
I've been seeing these for about a week now.
|
Ron 29 Posts |
| Quote |
Mar 3rd 2010 1 decade ago |
|
Can anyone please provide information on sender or subject lines so that we can query our systems accordingly? Thanks in advance.
|
Anonymous |
| Quote |
Mar 3rd 2010 1 decade ago |
|
Can anyone please provide information on sender or subject lines so that we can query our systems accordingly? Thanks in advance.
|
Anonymous |
| Quote |
Mar 3rd 2010 1 decade ago |
|
Our system is mostly knocking these down by reputation, so we aren't getting the subject lines at all. Looking for mail "From" amazon.com but not from a source IP of Amazon's, the most common sender is "order-update@amazon.com", and the source IPs tend to be DSL or Comcast cable subscribers. We have been seeing theses since at least March 25.
A few with malware ZIP attachments have the subject "Shipping update for your Amazon.com order 254-71546325-658732". A separate phishing run has the subject "Update your Amazon.com account information." and lots of Yahoo shortcut javascript junk in the message content. |
Paul 47 Posts |
| Quote |
Mar 3rd 2010 1 decade ago |
|
We received several of these as well. The subject line for ours was "Amazon.com - Your Confirmation (7368-03699-1652726)" and it looked to come from order-update@amazon.com but when you replied, went to several different domains which varied by email.
|
Paul 1 Posts |
| Quote |
Mar 3rd 2010 1 decade ago |
|
From: order-update@amazon.com
Subject: Shipping update for your Amazon.com order 254-71546325-658732 Body: Shipping update for your Amazon.com order 254-78546325-658742 Please check the attachment and confirm your shipping details. Attachment: Shipping documents.zip Barracuda Spam Firewall detects this as Trojan.VB.8768 Others are being blocked by intent/reputation. |
Paul 6 Posts |
| Quote |
Mar 3rd 2010 1 decade ago |
|
I am seeing a small number of the phishing spam that Paul reported earlier in the comments.
I am seeing zero of the spam which Johannes is describing, but perhaps that is because my MTA is very effective at keeping out zombies. |
Andrew 41 Posts |
| Quote |
Mar 3rd 2010 1 decade ago |
|
We just saw a huge rash of these emails today. The source was generally internal due to a virus (fruspam). We were able to track down the sources of the infection by looking at the headers of the email.
|
Andrew 1 Posts |
| Quote |
Mar 4th 2010 1 decade ago |
|
I've only seen one of these messages. I have to agree with Andrew that its most likely a case of a better-configured MTA. http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
|
Anonymous |
| Quote |
Mar 4th 2010 1 decade ago |
|
We've seen a number of these since November of 09. For those interested here is the Threat Expert report from the analysis of "Shipping Documents.zip"
http://www.threatexpert.com/report.aspx?md5=bc1895e5a455fe39b2109dfc94fb9ab9 |
Anonymous |
| Quote |
Mar 4th 2010 1 decade ago |
|
Paul, Andrew: Do share!
We've seen waves of this recently from Amazon, also Hardware.com. Thousands of attempts, hundreds of successful deliveries, and a few clickers. The delivering hosts look to be a botnet as many of the injects are from private subscriber lines from around the world. |
Drew 3 Posts |
| Quote |
Mar 5th 2010 1 decade ago |
|
I've been getting dozens of these "Amazon" mails a day on one address since before Christmas. Most of them are now being classed a junk by the site's filters.
|
Drew 2 Posts |
| Quote |
Mar 6th 2010 1 decade ago |
|
Been receiving storms of this crud in spam folder for about two weeks, often two or three a day. Reported them as phishing in Hotmail but the keep coming unabated. Any way to make it quit?
|
Anonymous |
| Quote |
Jun 14th 2017 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
