Armor Detects Amazon Spoofed “Cyber Week” Phishing Emails and Warns Computer Users and E-Commerce Retailers of Phishing Campaigns and Magecart Attacks to Hit During Holidays

Armor, leading cloud security solutions provider and publisher of the annual Black Market Report is warning computer users and e-commerce retailers to be on the lookout for malicious phishing campaigns and Magecart attacks this holiday season.

According to Armor’s intelligence sources, a malicious phishing campaign or campaigns is expected to launch on or around December 1 and run through December 25, 2018. The subject of the phishing emails is expected to be about an online order or shipping notification, and the “Sent From” address will appear as if the emails are coming from a popular e-commerce retailer or a package delivery organization, e.g.  Amazon, UPS, FedEx, USPS, etc.

The fake emails are expected to look very authentic and crafted so as to illicit an immediate response from the recipient, most likely enticing them to click on a malicious link or attachment which potentially leads to a banking trojan, ransomware or keylogger.

On November 26 Armor’s security team, the Threat Resistance Unit (TRU) detected and analyzed a well-crafted, phishing email purporting to be from Amazon and said to contain a $500 credit for Cyber Monday . See Image 1.  Upon analysis, Armor found that the email was not sent from Amazon but rather was sourcing out of Chile from an open-source email service, and the enclosed $500 credit coupon links to a separate non-Amazon domain which has been reported to be malicious, according to Trend AV and other AV vendors, and is reported to be a part of an Emotet banking trojan distribution campaign.

Image 1—a November 26, 2018 phishing email, purporting to be from Amazon, but in actuality is reported to a part of the Emotet banking trojan distribution campaign.

On November 30, the TRU team saw reports of an almost identical phishing email being sent to online shoppers in the U.K.  These phishing emails included an enticing £500 pound Amazon credit, and the offer was valid from November 26 through November 30, and the threat actors updated the “From” address to make it appear as if it was coming from: cybermonday@amazon.com.uk. .  See Image 2. These emails also appear to be part of the Emotet Banking Trojan malware distribution campaign.

Image 2—a phishing email, almost identical to the phishing email in Image 1 being distributed the week of November 26 and customized for UK online shoppers . This email is also reported to be a part of the Emotet banking trojan distribution campaign.

And although the U.S. and U.K. phishing emails had end dates the week of November 30, the TRU Team is confident that the threat group behind this Emotet distribution scheme will extend the credit expiration dates in the lure so as to take advantage of the entire holiday shopping season.

Read Armor’s Threat Alert and see how e-commerce retailers and shoppers can protect themselves from online holiday scams and Magecart attacks by completing the form below.