Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Reports about large number of fake Amazon order confirmations SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Reports about large number of fake Amazon order confirmations

A couple of readers wrote about a flood of fake order confirmations they are receiving. The e-mail claims to originate from, and attempts to trick the user into clicking on a link which will then lead to obfuscated JavaScript and malware.

This particular attack appears to be a new version of similar e-mails we have seen over the last week or so. The new version uses larger e-mail messages, which appear to be composed with Microsoft Word.

The text is still pretty concise. As a sample:

Dear Customer,

Your order has been sucessfully confirmed. For your reference, here's a summary of your order:

You just confirmed order #2341-23483720-38123



At the end of the e-mail follows a link to a malware site, labeled "ORDER INFORMATION".

A number of different domains have been seen used so far.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Defending Web Applications Security Essentials - SANS Cyber Defense Initiative 2021


4302 Posts
ISC Handler
Mar 3rd 2010
I've been seeing these for about a week now.

29 Posts
Can anyone please provide information on sender or subject lines so that we can query our systems accordingly? Thanks in advance.
Can anyone please provide information on sender or subject lines so that we can query our systems accordingly? Thanks in advance.
Our system is mostly knocking these down by reputation, so we aren't getting the subject lines at all. Looking for mail "From" but not from a source IP of Amazon's, the most common sender is "", and the source IPs tend to be DSL or Comcast cable subscribers. We have been seeing theses since at least March 25.
A few with malware ZIP attachments have the subject "Shipping update for your order 254-71546325-658732".
A separate phishing run has the subject "Update your account information." and lots of Yahoo shortcut javascript junk in the message content.

47 Posts
We received several of these as well. The subject line for ours was " - Your Confirmation (7368-03699-1652726)" and it looked to come from but when you replied, went to several different domains which varied by email.
1 Posts
Subject: Shipping update for your order 254-71546325-658732
Body: Shipping update for your order 254-78546325-658742
Please check the attachment and confirm your shipping details.

Attachment: Shipping

Barracuda Spam Firewall detects this as Trojan.VB.8768
Others are being blocked by intent/reputation.
6 Posts
I am seeing a small number of the phishing spam that Paul reported earlier in the comments.

I am seeing zero of the spam which Johannes is describing, but perhaps that is because my MTA is very effective at keeping out zombies.

41 Posts
We just saw a huge rash of these emails today. The source was generally internal due to a virus (fruspam). We were able to track down the sources of the infection by looking at the headers of the email.
1 Posts
I've only seen one of these messages. I have to agree with Andrew that its most likely a case of a better-configured MTA.
We've seen a number of these since November of 09. For those interested here is the Threat Expert report from the analysis of "Shipping"
Paul, Andrew: Do share!

We've seen waves of this recently from Amazon, also Thousands of attempts, hundreds of successful deliveries, and a few clickers. The delivering hosts look to be a botnet as many of the injects are from private subscriber lines from around the world.

3 Posts
I've been getting dozens of these "Amazon" mails a day on one address since before Christmas. Most of them are now being classed a junk by the site's filters.
2 Posts
Been receiving storms of this crud in spam folder for about two weeks, often two or three a day. Reported them as phishing in Hotmail but the keep coming unabated. Any way to make it quit?

Sign Up for Free or Log In to start participating in the conversation!