Today’s email brought this:
Subject: Amazon.co.uk order #AAR-5018964-8346289
Date Sent: Tue, 29 Oct 2013 05:59:12 -0700 (PDT)
Date Recd: Tue, 29 Oct 2013 08:04:21 -0500
[Full headers omitted — letter came via Yahoo Mail from somewhere in Israel if I’m reading the IPNs right]
Good afternoon, Thank you for your order. Weâ€™ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk. Order Details Order #AAR-5018964-8346289 Placed on October 26, 2013 Order details and invoice in attached file. Need to make changes to your order? Visit our Help page for more information and video guides. We hope to see you again soon. Amazon.co.uk
Yep, an attachment. I wonder what’s in it?
To answer the insatiably curious, it contains an executable called Order details.exe with a file size of 69,120 bytes. Which I’m not curious enough about to run.
It turns out that quite a number of letters like this have been going around lately; the order number is different each time, and the supposed Amazon.co.uk address is different each time. Sometimes it starts “Good morning,” other times “Good afternoon,” and yet other times “Good evening,” but they’re all supposedly from Amazon.co.uk.
Amazon.co.uk even has a link up on their main Help page, Unexpected E-mail From Amazon.co.uk?
From other reports on the web from folks who did open the attachment and click on the link, it takes you to a supposed Amazon.co.uk page where they ask you for your email address, account name, password, banking information, and such. Which doesn’t mean that it didn’t drop a ton of malware too.