Skip to main content

New Amazon Order Confirmation Emails Could Be Phishing Attempts

By January 11, 2019June 2nd, 2022Cybersecurity

According to Alexa, Amazon is the 4th most visited website in the United States and ranks 8th worldwide.  To say that it gets a lot of traffic every day would be an understatement, which is why a newly discovered phishing campaign pretending to come from Amazon is so disturbing.

Although Amazon sees heavy traffic every day of the year, things get especially frenzied during the holidays as shoppers flock to the company’s website to buy Christmas presents for friends and family.  Scammers know this and seek to take advantage of unwary shoppers, thus the genesis of their latest campaign.  The security firm EdgeWave has been monitoring the development of the campaign.

Scammers are sending out well-crafted, sophisticated emails that appear to come from Amazon, featuring subject lines designed to draw the attention of online shoppers, such as “Your Amazon.com Order” Or “Your Amazon Order (order number) has shipped.”

Naturally, if you’ve purchased something from Amazon, you’ll be inclined to open the email to get more information. You’ll then be presented with something that appears to be a legitimate order confirmation, although lacking in any specific details about the product.

In lieu of that, the scammers have placed an ‘Order Details’ button in the email, inviting users to click for additional information.  Unfortunately, clicking the link downloads a word document onto the user’s device.  If the user tries to open it, they’ll get a message that says they need to enable content in order for the message to be properly displayed.

What this does in actuality though, is enable macros, which hackers and scammers have been using for years to inject malicious code onto PCs around the world, and sure enough, that’s exactly what happens in this case.

EdgeWave researchers have tested the poisoned document and discovered that as the download begins, what is apparently being downloaded is a file called ‘keyandsymbol.exe’. However, embedded in the code, they found references to mergedboost.exe.

By now, most people know better than to click links or open files, even when they seem to come from a trusted source. This latest campaign underscores the importance of ongoing education and friendly, periodic reminders.

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.