Sponsored by..

Thursday, 6 December 2012

Amazon spam / evokeunreasoning.pro

A few different variants of this today, all pretending to be from Amazon and leading to malware on evokeunreasoning.pro:

Date:      Thu, 6 Dec 2012 17:32:38 +0200
From:      "Amazon . com" [digital-notifier@amazon.com]
Subject:      Your Amazon.com order receipt.

    Click here if the e-mail below is not displayed correctly.
Follow us:                    
Your Amazon.com                         Today's Deals                 See All Departments    

Dear Amazon.com Member,    

Thanks for your order, [redacted]!

Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.

Order Overview:

E-mail Address: [redacted]
Billing Address:
1113 4th Street
Fort North NC 71557-2319,,FL 67151}
United States
Phone: 1-491-337-0438

Order Grand Total: $ 50.99
Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More

Order Summary:
Order #:     C47-8578330-3362713
Subtotal of items:     $ 50.99
Total before tax:     $ 50.99
Tax Collected:     $0.00
Grand Total:     $ 50.00
Gift Certificates:     $ 0.99
Total for this Order:     $ 50.99
Find Great Deals on Millions of Items Storewide
We hope you found this message to be useful. However, if you'd rather not receive future e-mails of this sort from Amazon.com, please opt-out here.

� 2012 Amazon.com, Inc. or its affiliates. All rights reserved. Amazon, Amazon.com, the Amazon.com logo and 1-Click are registered trademarks of Amazon.com, Inc. or its affiliates. Amazon.com, 475 Larry Ave. N., Seattle, MI 83304-6203. Reference: 61704824

Please note that this message was sent to the following e-mail address: [redacted]

The malicious payload is at [donotclick]evokeunreasoning.pro/detects/slowly_apply.php but at the time of writing the domain does not seem to be resolving.


HoneyRyder007 said...

I've received these, but they were made to look like they came from PayPal... said I'd purchased 35 sets of golf clubs to the tune of 748.00. LOL

Elite Makelaars said...

Hi, I have been receiving exactly the same and some 9 other mails from 'amazon' and 'paypal'. Can you please tell me what are the risks and how to deal with this? It never happened to me before, but 3 days ago I ordered something from Amazon and now this started. The mails received look very original and the sender is digital-notifier@amazon.com that looks genuine....

Elite Makelaars said...

Just to complete the info; the mails for order confirmation and for paypal payments have arrived alternating between the two companies and just a few minutes apart one from the other.

Conrad Longmore said...

@Elite Makelaars - that's the same pattern I saw. The payload is probably the Blackhole exploit kit, although I haven't done any technical analysis on it. It's almost always Blackhole.

A good spam filter and good egress filtering on your network might help. Making sure all your PCs are fully patched (especially Flash and Java) will definitely help. And remember not to click those dodgy links..

Elite Makelaars said...

Thank you Conrad!