Wednesday, November 12, 2014

Amazon Order Confirmation Phishing Campaign

Recently a new phishing campaign has been brought to my attention. I have been noticing a high number of downloads from hosts for executables. This activity is causing snort-based signatures to fire when these downloads are attempted. After a little investigation, I found that a good bit of people are receiving these phishing emails which contain an attachment. This attachment appears to be the stimulus for the downloads we are observing.

Some Google searching returns a number of articles about this ongoing campaign. My Online Security provides us with the actual email that is being distributed to potential victims.

Examining the email, it appears to be legitimate, but there are a few key indications that something is wrong. The most noticeable indication is the broken English in the email.
Dear Customer,
Greetings from Amazon.co.uk,
We are writing to let you know that the following item has been sent using  Royal Mail.
For more information about delivery estimates and any open orders, please visit: http://www.amazon.co.uk/your-account
Your order #203-2083868-0173124 (received October 30, 2014)

Your right to cancel:At Amazon.co.uk we want you to be delighted every time you shop with us.  O=ccasionally though, we know you may want to return items. Read more about o=ur Returns Policy at:  http://www.amazon.co.uk/returns-policy/
Further, under the United Kingdom's Distance Selling Regulations, you have =the right to cancel the contract for the purchase of any of these items wit=hin a period of 7 working days, beginning with the day after the day on whi=ch the item is delivered. This applies to all of our products. However, we =regret that we cannot accept cancellations of contracts for the purchase of= video, DVD, audio, video games and software products where the item has be=en unsealed. Please note that we are unable to accept cancellation of, or r=eturns for, digital items once downloading has commenced. Otherwise, we can= accept returns of complete product, which is unused and in an "as new" con=dition.
Our Returns Support Centre will guide you through our Returns Policy and, w=here relevant, provide you with a printable personalised return label.  Ple=ase go to http://www.amazon.co.uk/returns-support to use our Returns Suppor=t Centre.
To cancel this contract, please pack the relevant item securely, attach you=r personalised return label and send it to us with the delivery slip so tha=t we receive it within 7 working days after the day of the date that the it=em was delivered to you or, in the case of large items delivered by our spe=cialist couriers, contact Amazon.co.uk customer services using the link bel=ow within 7 working days after the date that the item was delivered to you =to discuss the return.
https://www.amazon.co.uk/gp/css/returns/homepage.html
For your protection, where you are returning an item to us, we recommend th=at you use a recorded-delivery service. Please note that you will be respon=sible for the costs of returning the goods to us unless we delivered the it=em to you in error or the item is faulty. If we do not receive the item bac=k from you, we may arrange for collection of the item from your residence a=t your cost. You should be aware that, once we begin the delivery process, =you will not be able to cancel any contract you have with us for services c=arried out by us (e.g. gift wrapping).
Please also note that you will be responsible for the costs of collection i=n the event that our specialist courier service collect a large item from y=ou to return to us.
As soon as we receive notice of your cancellation of this order, we will re=fund the relevant part of the purchase price for that item.=20
Should you have any questions, feel free to visit our online Help Desk at:==20http://www.amazon.co.uk/help
If you've explored the above links but still need to get in touch with us, =you will find more contact details at the online Help Desk.=20
Note: this e-mail was sent from a notification-only e-mail address that can=not accept incoming e-mail. Please do not reply to this message.=20
Thank you for shopping at Amazon.co.uk
-------------------------------------------------Amazon EU S.=C3=A0.r.L.c/o Marston GateRidgmont, BEDFORD MK43 0XPUnited Kingdom-------------------------------------------------
I will admit that I can't honestly remember the last time I actually read a confirmation email after making a purchase on Amazon. To me, this would suggest that it is conceivable that an unsuspecting recipient would not recognize this as a phishing attempt. I can also say that I also have never received a confirmation email with an attachment. This email, however, has an attached Microsoft Word document.

This .doc file (md5: a75e196e6c0cabc145f4cdc3177e66ec) appears to contain some macro that causes the system that it is executed on to make download requests. The intent here is that an individual will open the document, disable the macro security features that are presented when the file is opened and execute the VB script. It is common for a unsuspecting user to click past any warnings in documents such as these and the perpetrators are very aware of this.




This macro appears to lead to the download the file "1.exe" (md5: 954858bc0f115a4d6442afb333ec44c2) on to the host system. Once this file is executed...well let's just say all sorts of fun things begin to happen that we will explore further in the following posts. Running this executable through Virus Total produces a detection rate of 35/54. The name classifications continuously mention the name "Yakes" as the type of malware

In the following posts I will analyze the downloaded malware, Word document and any additional files that may be dropped on to the host system. Performing these steps will hopefully lead to additional information such as the origin of the campaign and the purpose of the malware.

Part Two
Part Three

No comments:

Post a Comment