Malware Disguises Itself as Amazon Order Confirmation Email

Merry Christmas!

The hackers, of course, do not take Christmas off and are working hard to ruin yours.

Today’s story is about a very active spam campaign that is disguised as Amazon order confirmations.  The first stage of the campaign looks something like this with different subject lines:

Notice that you have to click on ORDER DETAILS to see what the order is.  For many people thinking they didn’t order anything, they get concerned that their account has been hacked and will click on it.  From Amazon’s side, they are always changing things, so people might think “there the fools in Seattle go changing things again” and not give it much more thought.

If you hover over almost all of the links, it will show the legit Amazon links.  Except for the order details link.

It downloads a Microsoft Office Word document.

Think about that for a minute.   Times up!  Does that reasonably seem like something Amazon have ever done in their entire existence?  NO!  That is the first clue.

Then it tells the reader to enable macros (what Microsoft calls enable content now).  That should be a really big red flag.  But not to some.  They don’t read the software license agreements and other legal documents that they are bound by so why read this.

That fires off stage three.  A Powershell script downloads the Emotet malware.  The hackers give it different names, but so far it is always Emotet.

Emotet grew to fame as a banking trojan – stealing passwords to empty your bank account out.

Now it is logging all of your keystrokes, silently, sending your userids, passwords, contacts, emails, texts, etc. to Indonesia and U.S. servers which were previously compromised.

So what are my tips regarding this?

Hover over the link to validate what site it is going to.

Better still, open a new browser window and go to HTTPS:// yourself.  If you don’t see the order, it isn’t Amazon.

If someone asks you to enable macros, just don’t do it.  There are rare occasions, possibly at work, but make sure to validate it independently – like call the help desk.

This virus is particularly nasty and you really want to avoid it  if you can. 

Now that this has been exposed, look for variations on this theme – like a Netflix email instead of an Amazon email.

Information for this post came from Bleeping Computer.

Leave a Reply

Your email address will not be published.