Amazon Invoice Malware Spam run Continues

Amazon Invoice Malware Spam run Continues

I had a few mails land in a spamtrap of mine over the last few days, part of an ongoing spam run as per the Dynamoo Blog. The malicious files contained in zip attachments are constantly changing, but the general theme of the spam remains the same.

Fake Amazon Email

“Good evening,

Thank you for your order. We’ll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.com. Order Details

Order FB4826342 Placed on December 9, 2013

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon. Amazon.com Good afternoon,

Thanks for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.com. Order Details

Order KX3314644 Placed on December 10, 2013

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon. Amazon.com”

Here’s the second, which arrived yesterday:

More Amazon spam

“Good morning,

Thanks for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.com. Order Details

Order PN8411273 Placed on December 8, 2013

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon. Amazon.com Hello,

Thank you for your order. We’ll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.com. Order Details

Order SO8333160 Placed on December 8, 2013

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon. Amazon.com”

Both emails cite an order date from around the December 8, which was the date listed when the spam run started.

You’d think they’d want to keep things looking current, but leaving the older date in there might actually benefit the spammers, because it may mean the recipients will think they’re missing a piece of last-minute shopping that they’d forgotten about.

Both of the above emails target @live addresses, with multiple @live addresses CC’d in. End-users are at an advantage here if using webmail instead of a client because should they attempt to download either zipfile via the Outlook web-interface, they’ll receive the following message:

“The file = Your Amazon.com order LC8270018.zip is infected with an unknown virus, so it isn’t safe to download”

The emails are also caught as spam by Outlook / Hotmail, so there’s another plus.

If an end-user isn’t paying attention to spam settings (or worse, disabled them) and is downloading their mail via a client, however, they’ll have the email and attachment  sitting ready and waiting to get up to mischief.

What’s inside the zipfiles?

ORDER_FR234.exe MD5: 65AA62047A29B4DB82AB9F71BF9FD9D1

Malwarebytes Anti-Malware catches this as Trojan.Inject.RRE, and it has a VirusTotal score of 28/49.

10001723.transact_store.exe MD5: 52D832C893645A86AB7C8E1708B4AE37

Malwarebytes Anti-Malware detects this as Trojan.Zbot.ML, and it has a VirusTotal score of 19 / 49.

Please be aware that there are many, many more of these emails and attachments in circulation. CISCO has compiled an extremely long list of email attachment names, spam mail content and more dating back to October all playing on the same theme of Amazon delivery notices (which is an extremely common tactic at this time of year).

Some Tips to Stay Safe

1) Familiarise yourself with the Amazon security page, it contains a lot of good advice for avoiding scams and shenanigans. Note that they currently have an alert up:

“If you received an e-mail regarding the cancellation of an order you don’t recognise, please check Your Orders in Your Account. If you can’t find a matching order, the e-mail you received wasn’t from Amazon.co.uk. We recommend that you delete the e-mail”

The above mails are about invoices for orders made and not cancellations, but the same rule applies: you can always log into Amazon first and check your account before doing anything, and they also have a contact us page with both telephone support and live chat.

2) Always check the sender’s email address. Neither of the above have made a particularly convincing attempt at trying to look like a genuine sender. Again, you can always check with Amazon to confirm that fakename123@fakeemail is nothing to do with them.

3) If Amazon were going to email you about an order, they wouldn’t CC in about a dozen or more additional email accounts belonging to somebody else. Smart scammers would use BCC – take advantage of their laziness and learn to spot the red flags.

4) Never, ever download and run an executable from a random email. It doesn’t even have to be an executable file – scammers will happily booby-trap PDFs and spreadsheets in the quest to compromise your computer.

Amazon shoppers will continue to be popular targets for scammers throughout December, and fake orders / cancellations / invoices will be delivered straight to their doorstep for a few more weeks yet.

Christopher Boyd

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.