Cyber criminals pose as Amazon in an email scheme

May 25, 2016 04:13 PM

Security experts are warning about a widespread email scheme criminals are using to trick consumers into installing software that locks down their data and demands they pay to get control back. The email makes it look like Inc. is the message sender.

Security verification vendor Comodo Group Inc. issued a warning this week about emails that appear to come from the email address “” Those emails, which are not from Amazon, have a subject line along the lines of “Your order has dispatched” and includes what looks like an order number. The messages don’t contain any body text but do have an attachment. If recipients open that attachment, their computer is infected.

The attack using fake Amazon order notifications happened quickly and emails were sent in large volumes, says Fatih Orhan, director of technology at Comodo. “The sender seems as if it is The email has an attachment but it doesn’t have a message,” he says, and the lack of a message might be the only hint that something is off.

Amazon did not respond to requests for comment.

Comodo has identified 60,000 fake Amazon emails, one of the larger attacks the vendor has observed this year. Another security firm says the attack appears to be much larger. Bryan Burns, vice president of threat research at cybersecurity vendor Proofpoint Inc., says his company has identified 100 million suspicious emails purporting to be from Amazon that were sent last week to recipients in the United States and Europe. Proofpoint analyzes around a billion emails a day.

“Once the malicious document attachments are opened, potential victims are asked to enable macros (named fragments of code), which ultimately download ransomware malware,” Burns says. “If users open the JavaScript attachment, they are immediately infected.” JavaScript is a high-level programming language, while ransomware malware is software that gives attackers control of victims’ data until a ransom is paid.

If a victim doesn’t pay the ransom demanded – Orhan says attackers are demanding around $220 be paid in Bitcoin digital currency inside of three days -- the attacker then threatens to destroy the computer user’s data. While consumers in the United States and Europe were targeted in this particular attack, Orhan says it’s hard to tell where the attack originated.

“In this type of attack, usually botnet are used, so there are many different zombie computers sending this type of phishing email,” he says. Botnets are networks of computers criminals gain control of after getting consumers to install malicious software. “There are multiple sources all around the world. We cannot say that it’s targeted toward a specific region. We understand from our perspective that U.S. and U.K. customers have been hit.” 

It’s unknown how many recipients of the fake Amazon emails opened the attachment and infected their computers. Experts say such attacks are common.

“These attacks capitalize on human curiosity and are always evolving as victims get more familiar with certain techniques,” says Karl Sigler, threat intelligence manager at security firm Trustwave Holdings Inc. “Variants often purport to be missed deliveries by one of the major package carriers or, for malicious email targeting businesses, the email will pretend to be a completed purchase order. Sometimes it’s a malicious attachment, but this type of attack could just as easily include a link to a malicious website.”

Amazon, No. 1 in the Internet Retailer 2016 Top 500 Guide, has not said anything publicly about this attack. Amazon has a section on its website telling shoppers what kinds of content in emails they should be suspicious of, such as a requests for personal information or to update payment information. The retailer also advises: “Don't open any attachments or click any links from suspicious emails.” Amazon also suggests shoppers check any order number they receive via email against orders they’ve placed recently to determine if the email is legitimate.

But not every shopper is going to check a retailer’s website for advice on how to determine whether an email is legitimate. Security experts say retailers can try to help make sure customers don’t fall victim to email schemes by being consistent with their messaging.

“Making sure your customers understand how your company typically handles communication helps quite a bit,” Sigler says. “If you never send order confirmations as attached documents, be sure your customers are suspicious if they receive attached documents from you.”

“[Retailers] have to be consistent in their method of reaching their customers,” Comodo’s Orhan adds. “If they keep changing their methods and they don’t provide a stable way of communicating, the customers will not be suspicious.”

Comodo is the security certification vendor for 53 retailers in the Top 500, while Trustwave is the security verification vendor for 14 retailers.




Top Solution Providers