Customers of amazon.co.uk are being targeted by scam emails with attached malicious Microsoft Word documents. The messages claim to contain details on the transportation of an order, having the package number in the subject field.
Over 600 000 Malicious Emails Sent
The malicious activity was first detected by researchers with AppRiver at the end of October. The number of malicious emails isolated by the company since then is 600 000.
Reportedly there is a Word document attached to the scam email that contains a malicious macro launching commands for funneling a Trojan dropper in the targeted machine. This particular one is a keylogger that steals banking credentials, login information for emails services and social media profiles. This, off course, does not guarantee that the criminals won’t use it in a different type of attack in the future.
Macro – A piece of VBA code that can easily be integrated in Office so users can automate their everyday tasks. This feature is often misused by cyber crooks, by adding commands for downloading different malware to it.
Because of the risks involved, macros are disabled in Office component by default. So, in order for the commands to be executed, the user needs to turn on the support for macros intentionally.
The Crooks Behind the Campaign
AppRiver experts reveal that another party is targeting users of amazon.co.uk. 160 000 malicious emails have been caught so far. The analysts have noticed a few differences in the subject and the content of the email, as well as in the injection approach, but the final purpose is still the same – to infect the targeted computer with malware.
To make the scam appear more believable, the crooks have added a few quite precise touches:
- Amazon graphics are inserted in the message body.
- The subject field contains an order confirmation.
In this case the scam emails do not have malicious file attached. What they contain are links to compromised WordPress sites. As the victim clicks on the link, the download of a file named invoice1104.pdf(dot)scr is activated. The executable isn’t changed – it’s still a Trojan dropper.
The SCR extension on a Word document is a red flag on its own. Users are advised to be extra careful with purchase-related emails in the shopping season as hackers often use them as a cover for their malicious campaigns.