The Christmas period tends to be hit with various malicious spam and phishing campaigns, and this year is no exception. Attackers try to exploit shoppers who are ramping up their spending for the period, purchasing gifts for friends and family. Not only are people spending more money at this time of year, but shoppers are often less vigilant. When buying from so many different places, it can be hard to keep track and perform checks on websites.
EdgeWave, an email security company, discovered a new malspam (malicious spam) campaign in which attackers are sending emails masquerading as Amazon order confirmations. The emails look very convincing, leading many victims to believe they are legitimate.
The malicious order confirmations are being sent with various subject lines, including “Your Amazon.com Order”, “Amazon order details”, and “Your order 162-2672000-0034071 has shipped”.
When the victim opens the email, they are shown an order confirmation that states that their item has been shipped, but doesn’t include information normally present in Amazon confirmation emails such as what items were ordered as well as tracking information.
The email includes an “Order Details” button wherein users can click to find out more information about the order. However, when the user clicks on the button, it downloads a Word document named order_details.doc.
When the document opens, users are hit with a message saying that they need to “Enable Content” in order to view the document properly.
If the user does click the button, macros will be triggered that execute a PowerShell command. The PowerShell command is responsible for downloading and executing the Emotet banking Trojan on the victim’s computer.
The Trojan runs silently in the background of the computer, logging keystrokes, and stealing account information.
Users are reminded to pay close attention to their emails and if there are any suspicions, shoppers can always log into the Amazon website to check their order details.