An updated Amazon Phishing Fraud campaign is well timed for the post holiday shopping season, arriving with a catch subject line:
Subject: Your order has been succesfully cancelled.
From: ”Amazon.com LLC”<orders@amazon.com>
While the subject line contains a spelling error, omitting the second “s” in “successfully” that is common enough that most recipients likely won’t notice.
Rather than being sent by Amazon.com these are of course spoofed emails sent, in this case, by otherwise legitimate mail severs like “mail.terahost.net” ([76.191.125.141]).
The fraud itself is pretty straightforward:
Dear Customer,
Your order has been succesfully cancelled. For your reference, here’s a summary of your order:
You just cancelled order #526-6855528-7758496 placed on
December 27, 2010.
Status: CANCELLED
____________________________________________________________________________Order #526-6855528-7758496 details
Sold by: Amazon.com. LLC
_____________________________________________________________________________Because you only pay for items when we ship them to you, you won’t be charged for any items that you cancel.
Thank you for visiting Amazon.com!
——————————————————————–
Amazon.com
Earth’s Biggest Selectionhttp://www.amazon.com
What we like (using that term loosely) about this fraud is the link replacement that displays an “order number” but that hyperlinks to a very realistic login page on a hijacked business server.
The bogus login page (used to steal legitimate user’s login and passwords) look like this:
- Click for Larger Image
What is even better, is the spammer’s technique of embedding this fraud into an otherwise legitimate business web site.
Rather than using a newly registered throw-away domain, the page above is currently hosted, without the owner’s knowledge, at:
http://spectrumgallery.ca/zBoard/data/htm/102-6640885-6390525.php?cmd=sign-in
And while that particular page may be pulled down in the future, there are countless other e-commerce sites hijacked in this very same way.
If you truncate the URL and simply visit: http://spectrumgallery.ca you can see the actual web site that’s been registered since 03-14-2008.
This tactic of hiding the Phishing fraud bait pages within actual operating and otherwise legitimate sites not only saves the cyber-criminals money that would be spent on domain hosting and registration, but it also makes it easier to slip their fraud emails past many spam filtering systems.
With all the online holiday shopping and post-holiday returns, this fraud is sure to snare more than a few victims.
- -
OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.
Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."
OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.
