Amazon Phish Malspam
Very recently, a phish looking campaign claiming itself from “Amazon.co.uk” is not only taking its victim to a phish page and asks for amazon username and password but also downloads malware payload in their system.
The days are gone when malware authors used to keep a line between Phishing and Malware spams. Mixing up both in single campaign was never considered a great idea. Now, it looks like that the new generation of malware authors are not following the old thoughts and trying to bring destruction by all possible means.
The Email Body
The campaign is seen with following attributes:
From : Amazon.co.uk <[email protected]> Subject : Your Amazon.co.uk order [:digits:]-[:digits:]-[:digits:] has been dispatched Body: Hello, We thought you'd like to know that we've dispatched your item(s). Your order is on the way, and can no longer be changed. If you need to return an item or manage other orders, please visit Your Orders on Amazon.co.uk. Arriving: [:Day:], [:Month:] [:Year] <Phish link embedded on "Track Your Package" button> <Legit Amazon Footer>
I have made a list of URIs seen in this campaign redirecting to the phishing page. Most of them are still alive, so be careful.
The Phishing Page
The phish link embedded on “Track Your Package” button takes the victim to amazon.co.uk phish page and demands Sign in credentials. While the page is loaded, a JS file named like “ORDER-[:digits:]-[:digits:]-[:digits:].js is downloaded from the embedded script. Following image gives a clear glimpse to it.
The Page Source
Digging down further into page source, i found two interesting things:
First, The user credentials are never posted anywhere. It means the motive of the campaign is not to get passwords. It can be said, the campaign is not even a “Phish”. As per definition, a phish attack is never completed without victim’s credentials shared with the attacker. Below image shows a part of page source which usually “post” the credentials to the server, In this case does nothing.
Second, When looked at the last few lines of the page source, a suspicious iframe just above the end body tag was found. The following image shows the frame header which downloads malicious JS file from the URI “wittinhohemmo[.]net/order.php”
The js file once executed shows a behaviour of a well known Banking trojan “Trickbot”.
If you liked our content, please comment and share your thoughts with us. Help us in spreading the word out and keeping people safe.