Counterfeit Amazon Order Confirmations Push Banking Trojans


There is a notable rise in the number of phishing and malspam campaigns with the winter breaks and Christmas on schedule. EdgeWave, an email security company, identified a new malspam campaign which pretends to be an Amazon order confirmation and is viewed as specifically harmful as customers go shopping gifts for the lined up occasions.

The execution strategy of this malspam campaign involves sending counterfeit Amazon order confirmations via emails which are formatted to be credible and persuasive, hence setting up a potentially unassailable trap for the exuberant shoppers. 

These foul order confirmations are accompanied by the following subject lines, “Your Amazon.com order”, “Amazon order details”, and “Your order 162-2672000-0034071 has shipped.” On opening the malicious email, the user will be shown an order confirmation which indicates that his item has shipped, but it won’t state any details regarding what item it is or the tracking information.
Moving ahead, the victim is then asked to click on the “order details” button to access more information. Following the aforementioned commands, the user is fooled into downloading a Word document titled “order_details.doc”. Now, when the user opens this word file, he is instructed to Enable Content so as to view it properly. In doing so, the user unintentionally triggers macros which execute a PowerShell command. The command further downloads and executes the Emotet banking Trojan on the recipient’s system.

The Trojan operates stealthily in the background and meanwhile logs keystrokes, illicitly obtains account information and performs various offensive tasks on the victim’s system.


“Interestingly, these other servers are in Houston and Lansing. Playing Dora the Explorer for a moment, we’ve encountered a compromised email server in Columbia sending phishing email with a link to a server in Indonesia that downloads malware which then contacts compromised servers in the United States. The holidays are truly global!” said EdgeWave, while telling BleepingComputer that the campaign utilizes compromised servers based in Indonesia, Columbia, and U.S.A.

Preventive Measures

Given the high convincing quotient of the scam, users are advised to pay extra heed to the source of emails before they promptly access it.

Before opening emails from online vendors, users should diligently examine where it came from and dismiss the same if appear mistrustful as we are living in a fast-paced world, where naturally, we are prompted to directly jump into the content and the urge to be informed is even more amplified when the mail associates itself with the holiday gifts. 

Leave a Reply