Amazon Order Confirmation Phishing Scam (Dec 24, 2018)
A sophisticated malspam campaign was observed delivering fraudulent Amazon order confirmations according to EdgeWave. The messages including headlines such as "Your Amazon.com order," "Amazon order details," and "Your order 162-2672000-0034071 has shipped." The emails show a forged order confirmation regarding the shipment of an item but did not contain any information for what was sent, practically forcing the recipient to click the "Order Details" button. Clicking the button downloads a Word document, and then requests macros to be enabled. If the user enables the macros, a PowerShell command is triggered which ultimately install the Emotet banking trojan onto the machine.
Recommendation: Malspam is a constant threat used by malicious actors who are consistently changing the themes of the messages to trick unsuspecting recipients, especially during the holiday season. Actors have become increasingly manipulative during the holiday season with the rise in eCommerce sales which provides them with a larger pool of potential victims. Any messages that request a recipient to open a file attachment and enable content or macros should be avoided. Anti-spam and antivirus application provided from trusted vendors should be employed in addition to educating your employees to identify such attempts.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.