CYBER NEWS

Malicious Email Campaign Hits Amazon Customers in the UK

Customers of amazon.co.uk are being targeted by scam emails with attached malicious Microsoft Word documents. The messages claim to contain details on the transportation of an order, having the package number in the subject field.
Malicious Email Campaign Hits Amazon Customers in the UK

Over 600 000 Malicious Emails Sent

The malicious activity was first detected by researchers with AppRiver at the end of October. The number of malicious emails isolated by the company since then is 600 000.

Reportedly there is a Word document attached to the scam email that contains a malicious macro launching commands for funneling a Trojan dropper in the targeted machine. This particular one is a keylogger that steals banking credentials, login information for emails services and social media profiles. This, off course, does not guarantee that the criminals won’t use it in a different type of attack in the future.

Macro – A piece of VBA code that can easily be integrated in Office so users can automate their everyday tasks. This feature is often misused by cyber crooks, by adding commands for downloading different malware to it.

Because of the risks involved, macros are disabled in Office component by default. So, in order for the commands to be executed, the user needs to turn on the support for macros intentionally.

The Crooks Behind the Campaign

AppRiver experts reveal that another party is targeting users of amazon.co.uk. 160 000 malicious emails have been caught so far. The analysts have noticed a few differences in the subject and the content of the email, as well as in the injection approach, but the final purpose is still the same – to infect the targeted computer with malware.

To make the scam appear more believable, the crooks have added a few quite precise touches:

  • Amazon graphics are inserted in the message body.
  • The subject field contains an order confirmation.

In this case the scam emails do not have malicious file attached. What they contain are links to compromised WordPress sites. As the victim clicks on the link, the download of a file named invoice1104.pdf(dot)scr is activated. The executable isn’t changed – it’s still a Trojan dropper.

The SCR extension on a Word document is a red flag on its own. Users are advised to be extra careful with purchase-related emails in the shopping season as hackers often use them as a cover for their malicious campaigns.

Avatar

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...