Phishing Alert: “Your Amazon.com Order” email

phishing-alert

Yes, it’s the holiday season, and it’s also the season of cyber crooks taking advantage of holiday online shoppers, especially those who don’t usually shop online.

I came across a fairly convincing (at first glance anyways) phishing/malicious email claiming to have been sent from Amazon.com.

amazon-phishing-email

Although the email used images from Amazon.com (hotlinked from g-ec2.images-amazon.com), a careful examination of the content revealed a pretty laughable attempt.  There are multiple zip codes listed in the address, and Greenwich, OH was misspelled.  A Google search on the street address returned nothing at all (i.e. not a valid address), and a search on the phone number returned no legit business either.

If you look at the email’s raw (original) data, you will see that although it says the sender was “store-news [at] amazon.com”, the actual sender was “shackledmt05 [at] polysto.com”, from the IP address 95.131.0.100.  This IP points to a mail server in Russia.

Further examining the email, I noticed that all the clickable links in the email point to a single URL: a “amazonorderdetails.html” at the domain “diamondwares.net”.  At least 2 security scanners reports the URL as malicious, according to virusTotal.  Sucuri’s SiteCheck reveals even more: the URL redirects conditionally to different websites.

sucuri-diamondware.net2
sucuri-diamondware.net

I scanned the redirect URLs again with VirusTotal and Sucuri, and here are the results:

ibertomoralles [dot] com – Sucuri

ibertomoralles [dot] com – VirusTotal

pleansantwille [dot] com – Sucuri

pleansantwille [dot] com – VirusTotal

Although it seemed obvious that this was not a legit email coming from Amazon.com because ” info@beautemineral.com” doesn’t have an account with Amazon, and that the address listed is not the address for “info@beautemineral.com”, this might very well be a social engineering trick from the attacker(s) to try to stir up fear of ID theft.  It is not hard to imagine someone can become worried that his or her email/ID might have been used to shop on Amazon without his or her knowledge.  It is also not hard to imagine, out of that fear, the target person simply clicks on one of those links to check his or her account status.

The good news is Gmail did an excellent job of classifying this email as spam correctly, and as a result, disabled all the links.  But you can’t always rely on spam filters.  It goes without saying that you should never click on links from unrecognized emails or recipients.  Be super cautious about links in emails even if they are from people and companies that you know or organizations that you belong to.  Always open up a web browser and type in the URL directly.

Happy online shopping, and stay safe(r)!