A recent spam campaign abuses the world’s largest online retailer, Amazon.com, to promise a 55€ TV set but instead direct users to a malware-laden page and infect them with a notorious exploit kit. Bitdefender Antispam Lab came across an increasing number of such e-mails crafted to look like Amazon order confirmations.
The fake notifications, which appear to confirm the order of 55€ TVs associated with brands ranging from Sony, LG and Samsung to Vizio, Akai, Panasonic, Sanyo and Toshiba, fail to deliver television sets, but do deliver malware via BlackHole. This piece of malware attempts to exploit vulnerabilities on the user’s PC to push malicious code depending on the system weakness it finds. It usually works, since many users don’t keep their software up to date or patched with the latest security fixes.
Some tag lines American online buyers need to avoid these days look like these:
- Amazon.com order of Vizio G55UH4030 55-Inch
- Amazon.com order of Sony S554P3030 55-Inch
- Amazon.com order of Akai NML55GUG030 55-Inch
- Amazon.com order of Samsung UN55HQ5010 55-Inch
- Amazon.com order of Toshiba TB55QX5030 55-Inch
- Amazon.com order of Sanyo I55TZ4050 55-Inch
- Amazon.com order of Panasonic UN55EH6010 55-Inch
- Amazon.com order of LG A55LG27020 55-Inch
The order appears to have been placed on May 29 and provides buyers with an estimated delivery date set sometime between May 30 and May 31, 2013. All e-mails are addressed to buyers with delivery addresses all across the United States, including Los Altos, PA, Annandale, AK, Salem, DC, Pasadena, PA, Santa Barbara, WA, Cohoes, NE and more.
The e-mails contain links that, when accessed, redirect users to a malicious domain or[removed]z.com that infects people with BlackHole. The website was set up a few days back, on the 20th of May and hosted on servers in Kenya, Germany, Brazil and the US.
Given that Amazon talks about a customer base of 137 million and that TV sets are among the top electronic choices of people all over the world, scammers have a pretty good shot at finding innocent victims to infect with malware.
In parallel, scammers also run a recycled old PayPal payment receipt scam to also cover the millions of PayPal accounts owners with their bogus e-mails.
This time, however, spammers were in a hurry and forgot to change the date in the template they used in February. They were perhaps more concerned with updating the links to redirect people to fresh set up malicious pages hosted on new active domains.
Bitdefender blocks the spam e-mails and the malicious website, so users who have the antivirus solution installed are protected. The company advises users to keep their software updated, including their antivirus.
This article is based on the spam samples provided courtesy of Adrian TOMA, Bitdefender Spam Researcher.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.