New Amazon spoof

I recently came across the following spam message, spoofing an purchase order:


This is a nicely formatted message.  Of course, none of the links go to anything in Amazon, they all point to the same link which is a URL located in South Korea.  Note that every link points there, even the Help Department and Learn More links.  The URL is hosted in IP space in South Korea as well, which is nice for a change because often times the links and IP space where the abusive URLs are hosted are in multiple countries/regions with multiple jurisdictions.

The tactic behind this, of course, is that the user gets an email in their inbox.  There are three cases:

  1. The user did not order anything from Amazon.  In this case, the user says “What?  I didn’t order anything online recently, why am I getting this notice in my inbox?  I don’t want to be charged for something I didn’t buy!”  They then click on the link and it takes them to a landing page that is possibly hosted with malware, flipping their computer into a botnet, or is an advertisement for other spam services.  The point is that the spammer is ultimately using confusion (on the part of the end user) and using that to trick them into taking an action.

  2. The user did order something from Amazon, but they notice that the order is wrong.  In this case, the user has recently ordered something from Amazon and gets the confirmation.  However, the cost of it is incorrect.  Maybe that book they bought (perhaps a book about spam written by Terry Zink) which only cost $20 is being charged $95.99!  Ack!  They’ve been overcharged!  The person then clicks on the link and the action is the same as above – either a link to a spam product (possible) or a drive-by download (more likely).  In this case, the spammer is using the end user’s' desire to avoid being overcharged as a weapon against them.
  3. The user did order something from Amazon, but they don’t bother to check the notice.  In this case, the user has recently ordered something from Amazon, but they don’t pay attention to the email receipt.  This sounds like me half the time.  I do pay attention to these notices but sometimes it takes me a day or two (or three or four) to check it.  If this is the case, then the spammer’s strategy has backfired.  If the user is not reading these notices then it doesn’t matter how many times they spam them, they will never take action and won’t make money; it’s basically useless.  It’s kind of like advertising on PBS.

Spoofing is nothing new.  It has been around forever.  This one is nicely formatted though but is not the most sophisticated I have seen.

Comments (2)
  1. Barry Leiba says:

    In addition to the landing page downloading malware, it could also be a fake Amazon login page, meant to steal login credentials (so someone can really buy something you didn't order).

    It is a very well done note.  The odd screw-up about it, which really flags it as bogus to me, is the assortment of inconsistent prices: subtotal 66.99, total before tax 84.99, tax 0, order total 77.99, price 95.99… say what?  That mess alone is what should tell even a non-techie that it's not real.

  2. Terry Zink says:

    Actually, Barry, one could argue that the assortment of inconsistent prices would further confuse a user, leading them to login to the page.  "What is going on?  I need to sort this out!"

Comments are closed.

Skip to main content