Malicious “Amazon” Emails Aim to Infect Holiday Shoppers
Date: Nov 10, 2014
Guest Post: AppRiver.
Over the past several day we have been seeing several malicious email campaigns posing as legitimate communication from Amazon.
The first campaign is posing as messages from the amazon.co.uk with the subject line reading: Your Amazon Order Has Dispatched (#3digits-7digits-7digits). These messages purport to be order shipment notifications.
These messages began hitting our filters on 31/10/14 and have been coming in consistently ever since. Thus far we have quarantined just over 600,000 of these messages.
Each message contains a Word document (MD5: a75e196e6c0cabc145f4cdc3177e66ec) that contains a malicious macro. In most instances users should at a slightly lower risk with this infection vector, since macros are not enabled by default in more recent versions of Word.
The macro (if allowed to execute) leads to the install of a Trojan dropper. The malware currently creates a process named SUVCKSGZTGK.exe on the victims machine. Eventually this leads to the install of key-logging malware designed to harvest banking login credentials, email credentials and social media credentials.
As we commonly see with this these types of campaigns, the payload can be changed out by the malware distributors so this dropper could pull down some other form of malware in the future.
In a separate email blast, another group is distributing malicious emails posing as Amazon order confirmation emails. These emails are coming is at a slightly slower clip than the former campaign mentioned but we have quarantined nearly 160,000 of these message over the past few days. They appear from amazon.com with the subject reading: Your order on Amazon.com.
These email have a bit more of a legitimate look as they utilize actual graphics taken from Amazon. Instead of a malicious attachment, these messages utilize links to compromised wordpress sites… Click here to read the full blog.