My next class:

Reports about large number of fake Amazon order confirmations

Published: 2010-03-03. Last Updated: 2010-03-03 17:28:42 UTC
by Johannes Ullrich (Version: 1)
13 comment(s)

A couple of readers wrote about a flood of fake Amazon.com order confirmations they are receiving. The e-mail claims to originate from Amazon.com, and attempts to trick the user into clicking on a link which will then lead to obfuscated JavaScript and malware.

This particular attack appears to be a new version of similar e-mails we have seen over the last week or so. The new version uses larger e-mail messages, which appear to be composed with Microsoft Word.

The text is still pretty concise. As a sample:

-----
Dear Customer,

Your order has been sucessfully confirmed. For your reference, here's a summary of your order:

You just confirmed order #2341-23483720-38123

Status: CONFIRMED

-----

At the end of the e-mail follows a link to a malware site, labeled "ORDER INFORMATION".

A number of different domains have been seen used so far.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: amazon malware
13 comment(s)
My next class:

Comments

I've been seeing these for about a week now.
Can anyone please provide information on sender or subject lines so that we can query our systems accordingly? Thanks in advance.
Can anyone please provide information on sender or subject lines so that we can query our systems accordingly? Thanks in advance.
Our system is mostly knocking these down by reputation, so we aren't getting the subject lines at all. Looking for mail "From" amazon.com but not from a source IP of Amazon's, the most common sender is "order-update@amazon.com", and the source IPs tend to be DSL or Comcast cable subscribers. We have been seeing theses since at least March 25.
A few with malware ZIP attachments have the subject "Shipping update for your Amazon.com order 254-71546325-658732".
A separate phishing run has the subject "Update your Amazon.com account information." and lots of Yahoo shortcut javascript junk in the message content.
We received several of these as well. The subject line for ours was "Amazon.com - Your Confirmation (7368-03699-1652726)" and it looked to come from order-update@amazon.com but when you replied, went to several different domains which varied by email.
From: order-update@amazon.com
Subject: Shipping update for your Amazon.com order 254-71546325-658732
Body: Shipping update for your Amazon.com order 254-78546325-658742
Please check the attachment and confirm your shipping details.

Attachment: Shipping documents.zip

Barracuda Spam Firewall detects this as Trojan.VB.8768
Others are being blocked by intent/reputation.
I am seeing a small number of the phishing spam that Paul reported earlier in the comments.

I am seeing zero of the spam which Johannes is describing, but perhaps that is because my MTA is very effective at keeping out zombies.
We just saw a huge rash of these emails today. The source was generally internal due to a virus (fruspam). We were able to track down the sources of the infection by looking at the headers of the email.
I've only seen one of these messages. I have to agree with Andrew that its most likely a case of a better-configured MTA. http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
We've seen a number of these since November of 09. For those interested here is the Threat Expert report from the analysis of "Shipping Documents.zip"

http://www.threatexpert.com/report.aspx?md5=bc1895e5a455fe39b2109dfc94fb9ab9

Diary Archives