All messages were sent from various .com domains and have the following subject line: ”Your Amazon.com Order (DXX-XXXXXXX-XXXXXXX)” in which every X stands for a random digit.
The provided links all lead to a single website (see fake mail graphic below). The fake Buy.com e-mails also come with an ID number, but only within the mail, not in the subject line.
An abstract of discovered dangers: exploits for PDF, Java and a current flaw in Microsoft Windows Help and Support Center (CVE-2010-1885), invisible iFrames. Until now, we discovered 7 different destination websites:
- bo[removed]on.kr/index2.html
- so[removed]a.co.kr/index2.html
- www.f[removed]ly.org/index8.html
- to[removed]ow.com
- ho[removed]ng.com/xxx.html
- ch[removed]ta.ru/doc.html
- ho[removed]er.com/xxx.html
It is also notable that the numbers in the subject line are randomly distributed and do not even match the order number within the mail. In the example below it is D32-0540666-5522007 vs. D79-7744461-7365324. Scamsters try to implement the various order numbers into the subject line to avoid filtering by spam filters and to dupe users. The numbers can also be used to identify recipients as the numbers might serve as an ID.
In comparison to an original Amazon order confirmation, all prices, discounts and taxes in the fake mail are put into place at random. None of the values mentioned above relates to another.
It is highly recommended to delete such fake messages from your system. If one did not order anything from Amazon etc. recently, there is no need to open such messages at all. And if one opened a mail like this, stay alert and check the mail for consistency - check the sender's address, order number, prices and especially the link destinations (with the mouseover function).