Sponsored by..

Thursday, 3 October 2013

Fake Amazon spam uses email address harvested from Comparethemarket.com

This fake Amazon spam was sent to an email address only used for the UK price comparison site Comparethemarket.com.

From:     Amazon.com [ship-confirm@amazon.com]
Reply-To:     "Amazon.com" [ship-confirm@amazon.com]
Date:     3 October 2013 15:43
Subject:     Your Amazon.com order of "Canon EOS 60D DSLR..." has shipped!

Kindle Store
     |  Your Account  |  Amazon.com
Order Confirmation
Order #159-2060285-0376154

Thank you for shopping with us. We’d like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order or make any changes to it, please visit Your Orders on Amazon.com.

Your estimated delivery date is:
Thursday, Oct 3, 2013 -
Friday, Oct 4, 2013

Your shipping speed:
Next Day Air
Your Orders    

Your order was sent to:
Evan Young
1235 Sunset Dr
San Paolo, NE 69700-0290
United States
Order Details
Order #159-2060285-0376154
Placed on Wensday, May 29, 2013
    Canon EOS 60D DSLR 22.3 MP Full Frame CMOS with 1080p Full-HD Video Mode Digital SLR Camera (Body)
In Stock
Sold by Electronic Express, Inc.
    Facebook     Twitter     Pinterest
Item Subtotal:     $1,397.99
Shipping & Handling:     $0.00

Total Before Tax:     $1,397.99
Estimated Tax:     $0.00

Order Total:     $1,397.99

To learn more about ordering, go to Ordering from Amazon.com.
If you want more information or need more assistance, go to Help.

Thank you for shopping with us.

Unless otherwise noted, items are sold by Amazon.com LLC and taxed if shipped to Kansas, North Dakota, New York, Kentucky or Washington. If your order contains one or more items from an Amazon.com partner it may be subject to state and local sales tax, depending on the state to which the item is being shipped. Learn more about tax and seller information.

This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message. 

How the email address was extracted from Comparethemarket.com is not known.

The link in the email goes through a legitimate hacked site and then runs one of the following three scripts:


This redirects the victim to a malware page at [donotclick]globalrealty-nyc.info/topic/latest-blog-news.php which is a hijacked GoDaddy domain hosted on (Linode, US). THis is currently the only domain that I can detect on this computer, but the usual pattern is that there will be several others so blocking that IP address would be prudent.

Recommended blocklist:


snxperxero said...


so far today.

Robert Garofalo said...

It occurs to me that if the typical American (or other recipient of these phishing scams) made a greater effort to improve their spelling and general reading ability, they would almost never fall for these scams. That's because 99.99% of all the phony missives I've ever read contain at least one glaring spelling or grammatical error. If nothing else tips you off, the word "Wensday" raises an immediate red flag.

It's really amazing: over time the phony letters have gotten more and more ambitious and amazingly legit-looking, yet the spelling and grammatical errors persist. God forbid one day these scammers wise up and actually hire an English-speaking native to do their writing-- they'd be at a whole new level. But then again, who am I kidding? You ever read the reviews on Amazon.com? Considering that over half of them seem to be written by semi-literate individuals leads me to believe, sadly, that even poorly written SPAM is able to fool the average American.