Security specialists warn email users to be be “extra cautious” this holiday shopping season
Security researchers at web and email firm AppRiver have tracked two types of Amazon phishing emails that are targeting the UK – one at a quantity of 600,000 and the other at 160,000.
Both carry Trojan malware that harvest banking login credentials, email credentials and social media credentials.
Fake Amazon emails
Troy Gill, manager of security research, AppRiver, said: “Currently we are seeing several malware email campaigns posing as legitimate communication from Amazon.”
The first campaign is posing as messages from the amazon.co.uk with the subject line reading: Your Amazon Order Has Dispatched (#3digits-7digits-7digits). These messages pose as order shipment notifications.
Gill said: “These messages began hitting our filters on October 31 and have been coming in consistently ever since. So far we have quarantined just over 600,000 of these messages.”
Each message contains a Word document (MD5: a75e196e6c0cabc145f4cdc3177e66ec) that contains a malicious macro. The macro (if allowed to run) leads to the install of a trojan dropper. The malware currently creates a process named SUVCKSGZTGK.exe on the victims machine. Eventually this leads to the install of keylogging malware designed to harvest banking login credentials, email credentials and social media credentials.
“As we commonly see with this these types of campaigns, the payload can be changed out by the malware distributors so this dropper could pull down some other form of malware in the future,” Gill added.
In a separate email blast, another group is distributing malicious emails posing as Amazon order confirmation emails.
Gill said: “These emails are coming in at a slightly slower clip than the former campaign mentioned but we have quarantined nearly 160,000 of these message over the past few days. They appear from amazon.com with the subject reading: Your order on Amazon.com. These emails have a bit more of a legitimate look as they utilize actual graphics taken from Amazon. Instead of a malicious attachment, these messages utilize links to compromised wordpress sites.
“Clicking these links launched the download of a .scr file, which should be a huge red flag to most users. The .scr file)(MD5: 09cb12d7cd0228360cd097baeaaa6552) is in fact a Trojan dropper that will lead to the install of more malware once it has infected the host. Once again, from here, the sky is the limit for the malware distributors since they can now download and install remote files of their choosing. Currently this infection appears to be targeting the users keystrokes for harvesting sensitive data.
“This is a very popular time of the year for these types of scams with so many people in shopping mode in preparation for the holidays. With many people expecting purchase confirmations and shipping confirmations with much more frequency, it increases the likelihood that people will far for this scam with a far greater frequency. Be extra cautious this holiday shopping season and if you are suspicious of unauthorised activity on your Amazon account, never follow the link in an email such as this, go directly to the website and check your account from there.”
How much do you know about IT’s bad guys? Take our quiz!