loader gif

​Hackers leverage fake Amazon order confirmation campaign to spread Emotet trojan

​Hackers leverage fake Amazon order confirmation campaign to spread Emotet trojan
  • The malspam campaign is widely using compromised servers located in Columbia, Indonesia and the United States of America.
  • The campaign involves attackers sending emails with different subject lines such as "Your Amazon.com order" and "Amazon order details".

Scammers are back to ruin the holiday season with a new malspam campaign. The fraudsters are creating fake Amazon order confirmation emails to trick users and execute Emotet banking trojan.

Modus operandi

Discovered by email security company EdgeWave, the new scam campaign involves attackers sending emails related to fake order confirmation from Amazon. The emails are sent with different subject lines such as "Your Amazon.com order", "Amazon order details", and "Your order 162-2672000-0034071 has shipped".

When a user opens the email, then he will be shown only the order number without the image or detail of the item. To view the item detail, the user needs to click on the ‘Order Details’ button and this leads to the download of a Word document named order_details.doc.

Once installed, the file asks the user to click on ‘Enable Content’ button - which is used to trigger a Powershell command to download and execute Emotet banking trojan. The trojan is downloaded in the form of malicious files - mergedboost.exe and Keyandsymbol.exe.

Upon execution, the trojan runs silently in the background and performs a series of nefarious activities such as logging keystrokes and stealing account information.

Impact of the campaign

EdgeWave reported that the malspam campaign was widely using compromised servers located in Columbia, Indonesia and the United States of America.

“Interestingly, these other servers are in Houston and Lansing. Playing Dora the Explorer for a moment, we’ve encountered a compromised email server in Columbia sending phishing email with a link to a server in Indonesia that downloads malware which then contacts compromised servers in the United States. The holidays are truly global!”, said EdgeWave to BleepingComputer.

Staying safe

Pay close attention to the spelling mistakes and grammatical errors in emails to avoid such scams. Always login to the original site to check the status of your order. This will help you to keep a track of your orders while enabling you to detect and delete the phishing email.

loader gif