dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1835

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

1 recommendation

jvmorris

MVM

Amazon (fake) phishing attack???

Perhaps I've been leading a charmed life recently, but has anyone noticed a very innocuous looking scam ostensibly originating from Amazon? To wit (with highlighting of suspicious portions)

From: Amazon.com (ujaolyso@thatrulesarethe.in)
To: Joseph Morris followed by six distinct e-mail addresses, only one of which is remotely associated with me
Date: 26-May-14 11:39:35 AM
Subject: Your Amazon.com order 5071VH3

National AmazonLocal.com

Hi,

Thank you for your order. We’ll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.com.

Order Details

Order QV1866868 Placed on May 02, 2014

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides.

We hope to see you again soon. Amazon.com

• That's not exactly an expected Amazon source
• Although it refers to a specific order, it's being sent to six different addressees.
• I placed no Amazon order on or about the date indicated.
• The attached ZIP file (not included) doesn't appear to be a real ZIP file.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

Seems that the zip file is likely some sort of keylogger , trojan or the like as seems to be no links to click and steel your pass etc. Could be interesting to see what the fake zip file is trying to install. Also if you tried to open it id say its time to do a full system scan for viri etc. As it likely did in fact open and at least tried to install something.

LadyL
Premium Member
join:2002-09-18
Lorain, OH

LadyL to jvmorris

Premium Member

to jvmorris
I got that same email...notified Amazon via email ... stop-spoofing@amazon.com ...got email back from Amazon thanking me for the forwarded email...they have had plenty of other members(users) of Amazon.com receiving same email.

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

jvmorris to Nanaki

MVM

to Nanaki
Correct, no clickable links in the message text (and it was an HTML post). The 39 kB attachment, when examined on a non-Windows system, was found to contain an ostensible PDF file, which -- again -- was listed as 'file type not recognized'.

Gee, I wonder if I'm now one of the privileged millions with a customized invitation to reveal all to the NSA? You know, . . .

Congratulations!!! You may be a winner!! Open the attachment and see if you have been selected to receive one of the six million prizes on offer from the NSA this Memorial Day!

jvmorris

jvmorris to LadyL

MVM

to LadyL
said by LadyL:

I got that same email...notified Amazon via email ... stop-spoofing@amazon.com ...got email back from Amazon thanking me for the forwarded email...they have had plenty of other members(users) of Amazon.com receiving same email.

Thank you.

Always nice to find that ye olde Mark 1 Mod 5648572211 brain is still functional.

onDvine
Grown up Flower Child
Premium Member
join:2005-01-29
So. CA, USA

onDvine to LadyL

Premium Member

to LadyL
said by LadyL:

... plenty of other members(users) of Amazon.com receiving same email.

My husband got it, too. Weird, though, that it came to a Verizon address which was never used for on-line purchasing. We always use spamgourmet.com addresses so the phisher must have a non-Amazon source.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

said by onDvine:

My husband got it, too. Weird, though, that it came to a Verizon address which was never used for on-line purchasing.

Most spam bots do not use any harvested email addys. Instead they use multiple text files with for example neo.rr.com version.com att.net etc in one and names numbers and letters in another. The bot then takes these items from the 2 files and assembles in to a email address. Example the bot pulls novaflare.269 from one file and verison.com from another generating novaflare269@verison.com it then sends out the email to that adress and 100s if not 1000s others from each infected computer using potentially a legit email account listed on the computer it is running on. Other times the sender email is just random garbage. Possibly a real domain sometimes not. In this case while sending from a real domain its likely just using old school snmp helo etc commands on a vulnerable server.

Now there are other cases where the spambot is harvesting emails from a persons contact list and only sending out to those on the contact list. In this case youll get spam emails from your friends.

Almost forgot the email example i used is bogus far as i know. Just one i made up on the fly for the example

onDvine
Grown up Flower Child
Premium Member
join:2005-01-29
So. CA, USA

onDvine

Premium Member

said by Nanaki:

... sending out to those on the contact list. In this case youll get spam emails from your friends. ...

Do you mean spoofed as being from that friend or just harvested from them?

vaxvms
ferroequine fan
Premium Member
join:2005-03-01
Polar Park

1 recommendation

vaxvms to jvmorris

Premium Member

to jvmorris
Ask yourself
Why would amazon.com address you as "Hi"? And without using your name.
"have dispatched"? When has any order you've placed with any business "dispatched"?
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

2 recommendations

Nanaki (banned) to onDvine

Member

to onDvine
said by onDvine:

Do you mean spoofed as being from that friend or just harvested from them?

Typically if you get a email that is from some one you know that is spam they or some one they know is infected or at least was.

Basically the bot has the list of contacts and that persons email address. Now only way to know if they are currently infected and sending is to examine the headers of the email and try to figure out if the ip etc is in fact theirs. If it is theirs then they are infected.

Once a system has been compromised and contact lists and the owners email address has been harvested you will get those emails long after the account is dead. Basically the bot wont forget and will keep using it till its controller tells it to stop using it.

I have some limited experience with killing a spambot botnet from years ago. Some here are sure to remember i suspect. Funny thing is i honestly am not even close to being uber hacker by any means. But just got stupid lucky. The aftermath was pretty funny though.

onDvine
Grown up Flower Child
Premium Member
join:2005-01-29
So. CA, USA

onDvine

Premium Member

Thank you.
said by Nanaki:

... examine the headers of the email and try to figure out if the ip etc is in fact theirs. ...

The message was deleted from the other computer but I saw the word, terrible, in the headers as part of the domain name it came from. So it had nothing to do with anyone who forwards "interesting" stuff to him being compromised.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

I some times like disecting the headers to figure out where the email comes from. Always sort of hoping to find another simple kill of a bot net but that was a 1 in a million shot the last time and that was when win98 was still in use with default administrative shares and net bios ofver tcpip no pass needed just ip:139 browse c drive grab files for bot net edit and go bonkers and bust a gut when the botnet shut it self down buhahahah poor 10k bot botnet was never the same after that.

Oh for the net to be young again. I some times miss the days of dialup and dual 56k modems with 2x dialup accounts and outrunning cable internet by 30k. The days of super tweaking os and dialup modems etc.

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

jvmorris to vaxvms

MVM

to vaxvms
said by vaxvms:

Ask yourself
Why would amazon.com address you as "Hi"? And without using your name.
"have dispatched"? When has any order you've placed with any business "dispatched"?

First, for the record, KAV finally woke up and flagged the attachment in that e-mail, about six hours after I moved it to the 'deleted' folder.
Marked it as "Trojan.Win32.Sourtoff.gh"

To your specific points: I do occasionally order from smaller, third-party providers on Amazon (not to mention Ebay) and I have occasionally gotten similar rather casual responses similar to this when the requested item is temporarily out of stock, just usually identifies the item in question in the text of the e-mail, not in a ZIPPed attachment.
Similarly, "have dispatched" doesn't particularly bother me, since some of my orders are to UK sources, . . . but I've never ordered anything from India.

However, I do now wonder if maybe one of those smaller suppliers hasn't had the e-mail addresses of their customers hijacked.

Now to look up that particular Trojan . . . .

LadyL
Premium Member
join:2002-09-18
Lorain, OH

LadyL to jvmorris

Premium Member

to jvmorris
always helpful when I can...from years ago *rolls eyes*