We’ve recently seen a return of email spam campaign featuring fake Amazon.com notifications. This appeared in the Holiday shopping season last year coming from disposable domains, and is now back, apparently coming from compromised domains in the UK. Here’s an example:
Of course, the attachment contains a malicious trojan that allows remote access to Windows systems. It’s not a particularly convincing fake. For instance, real Amazon notifications are not addressed to multiple recipients, and an order placed in February would usually have been delivered long before May 1st. What’s more, the From email address is actually a compromised domain which has nothing to do with Amazon, and the design and wording are not at all like a genuine Amazon notification. Here’s the real thing:
The book is a good read, by the way!
In spite of the obvious problems with this message, it is convincing a large number of users. Though Cloudmark is flagging these messages as spam we have received many hundreds of reports from trusted users who have taken the message out of their spam folder. We hope that once they try to download the attachment their anti-virus program will let them know they have been fooled, but this is not guaranteed. According to the invaluable VirusTotal.com only 28 out of 52 anti-virus packages currently recognize this thread, and one of the ones to miss it is one of the most popular AV packages on the market.
Like many families, mine shares an Amazon.com account (because Prime) so when I see an Amazon notification I will look at it to see what is going on my credit card. Of course, I wouldn’t open an unsolicited attachment for all the gold in Nigeria, but unfortunately many people are not so cautious, so even an inept forgery like this one can be used to spread malware. Here are some tips for avoiding malware and phishing:
- Make sure the sender’s email address matches the content.
- Beware of multiple recipient email addresses.
- Don’t open unsolicited attachments.
- Don’t click on links in unsolicited emails.
- If you must click on a link in what you believe is a genuine email, hover your mouse over it first, and make sure that the destination URL goes to the domain you expect.
- Beware of emails that begin with a generic salutation like “Dear Customer”.
- Look out for errors in spelling and grammar.
- If you get a notification from a bank or a retailer like Amazon that looks in anyway suspicious, but you want to check if it’s real, then don’t click on the links in the message or open the attachment. Instead log into your account by going to the website directly in your browser.