I recently came across the following spam message, spoofing an Amazon.com purchase order:
This is a nicely formatted message. Of course, none of the links go to anything in Amazon, they all point to the same link which is a URL located in South Korea. Note that every link points there, even the Help Department and Learn More links. The URL is hosted in IP space in South Korea as well, which is nice for a change because often times the links and IP space where the abusive URLs are hosted are in multiple countries/regions with multiple jurisdictions.
The tactic behind this, of course, is that the user gets an email in their inbox. There are three cases:
- The user did not order anything from Amazon. In this case, the user says “What? I didn’t order anything online recently, why am I getting this notice in my inbox? I don’t want to be charged for something I didn’t buy!” They then click on the link and it takes them to a landing page that is possibly hosted with malware, flipping their computer into a botnet, or is an advertisement for other spam services. The point is that the spammer is ultimately using confusion (on the part of the end user) and using that to trick them into taking an action.
- The user did order something from Amazon, but they notice that the order is wrong. In this case, the user has recently ordered something from Amazon and gets the confirmation. However, the cost of it is incorrect. Maybe that book they bought (perhaps a book about spam written by Terry Zink) which only cost $20 is being charged $95.99! Ack! They’ve been overcharged! The person then clicks on the link and the action is the same as above – either a link to a spam product (possible) or a drive-by download (more likely). In this case, the spammer is using the end user’s' desire to avoid being overcharged as a weapon against them.
- The user did order something from Amazon, but they don’t bother to check the notice. In this case, the user has recently ordered something from Amazon, but they don’t pay attention to the email receipt. This sounds like me half the time. I do pay attention to these notices but sometimes it takes me a day or two (or three or four) to check it. If this is the case, then the spammer’s strategy has backfired. If the user is not reading these notices then it doesn’t matter how many times they spam them, they will never take action and won’t make money; it’s basically useless. It’s kind of like advertising on PBS.
Spoofing is nothing new. It has been around forever. This one is nicely formatted though but is not the most sophisticated I have seen.