Amazon.co.uk Dispatch Confirmation – Phish or Malware?

Amazon Phish Malspam

Very recently, a phish looking campaign claiming itself from “Amazon.co.uk” is not only taking its victim to a phish page and asks for amazon username and password but also downloads malware payload in their system.

The days are gone when malware authors used to keep a line between Phishing and Malware spams. Mixing up both in single campaign was never considered a great idea. Now, it looks like that the new generation of malware authors are not following the old thoughts and trying to bring destruction by all possible means.

The Email Body

The campaign is seen with following attributes:

From : Amazon.co.uk <[email protected]>
Subject : Your Amazon.co.uk order [:digits:]-[:digits:]-[:digits:] has been dispatched
Body: 
Hello,
We thought you'd like to know that we've dispatched your item(s). Your order is on the way, and can no longer be changed. If you need to return an item or manage other orders, please visit Your Orders on Amazon.co.uk.

Arriving:
[:Day:], [:Month:] [:Year]
<Phish link embedded on "Track Your Package" button>

<Legit Amazon Footer>

 

I have made a list of URIs seen in this campaign redirecting to the phishing page. Most of them are still alive, so be careful.

Amazon.co.uk Dispatch Confirmation Phish URLs

The Phishing Page

The phish link embedded on “Track Your Package” button takes the victim to amazon.co.uk phish page and demands Sign in credentials. While the page is loaded, a JS file named like “ORDER-[:digits:]-[:digits:]-[:digits:].js is downloaded from the embedded script. Following image gives a clear glimpse to it.

The Page Source

Digging down further into page source, i found two interesting things:

First, The user credentials are never posted anywhere. It means the motive of the campaign is not to get passwords. It can be said, the campaign is not even a “Phish”. As per definition, a phish attack is never completed without victim’s credentials shared with the attacker. Below image shows a part of page source which usually “post” the credentials to the server, In this case does nothing.

Second, When looked at the last few lines of the page source, a suspicious iframe just above the end body tag was found. The following image shows the frame header which downloads malicious JS file from the URI “wittinhohemmo[.]net/order.php”

The js file once executed shows a behaviour of a well known Banking trojan “Trickbot”.

 

References

https://www.virustotal.com/#/file/cf1b1273a043ea0b1376652b5c9201b9cfc1c12de1a1ac1f39f6a323b191811b/detection
https://myonlinesecurity.co.uk/fake-your-amazon-co-uk-order-has-been-dispatched-tries-to-deliver-malware/https://www.virustotal.com/#/url/6a1bb2d54a7d4988184eda46db2addc97645860231ea79c64f916f2d9ea98bf6/community

 

If you liked our content, please comment and share your thoughts with us. Help us in spreading the word out and keeping people safe.

For me, it’s the toughest thing to define oneself. I mean, It’s always better and easy to judge others, isn’t it?
I have hundreds of thing i can tell you about me but at the same time, i’ll be hiding hundreds of thing from you. I can tell you my Office friends call me Dionysus (Google can tell you why). “Dead Can Dance Kiko” Song is enough to tell what i like. I feel happy to share something i learn everyday which i think this site is a part of it.

You may also like...