Amazon Email Virus

What is "Amazon Email Virus"?

"Amazon Email Virus" is a spam email campaign (very similar to Standard Chartered bank Email Virus, TNT Email Virus, Thanksgiving Email Virus, and many more) that is used by cyber criminals (scammers) to trick people into opening malicious attachments through a presented link.

This attachment infects computers with the Emotet virus, which is designed to steal personal data and proliferate other computer infections.

Scammers behind the "Amazon Email Virus" claim to be representatives from Amazon. They send this spam email to many users and present it as a Black Friday coupon worth $500. They offer $500 to be transferred directly to recipients' Amazon accounts.

To take advantage of this deal, people are encouraged to click the "Get Your BLACK FRIDAY coupon." link. This results in download of a malicious Microsoft Office Word document. Once downloaded and opened, it asks for permission to enable macros commands. If enabled, these commands allow the Emotet computer infection to be downloaded.

Emotet is high-risk virus designed to collect sensitive information including, for example, logins/passwords, browsing activity, and so on. Furthermore, the collected data might include banking information. Thus, having a virus such as Emotet installed might lead to serious privacy issues or even significant financial loss.

Furthermore, this virus proliferates other infections, since it opens "backdoors" for other high-risk viruses that infiltrate and infect the operating system. We recommend that you ignore the "Amazon Email Virus" spam campaign and simply delete the received email.

Threat Summary:

Name	Amazon spam
Threat Type	Trojan, Password stealing virus, Banking malware, Spyware
Symptoms	Trojans are designed to stealthily infiltrate victim's computer and remain silent thus no particular symptoms are clearly visible on an infected machine.
Distribution methods	Infected email attachments, malicious online advertisements, social engineering, software cracks.
Damage	Stolen banking information, passwords, identity theft, victim's computer added to a botnet.
Malware Removal (Windows)	To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. ▼ Download Combo Cleaner To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Spam email campaigns are used to proliferate various different viruses. Other examples of possible infections are FormBook, Adwind, TrickBot, and AZORult. Most of these viruses are designed to gather personal/sensitive data and use it to generate revenue. Some proliferate other infections (cause chain infections) including, for example, ransomware.

How did "Amazon Email Virus" infect my computer?

Spam campaigns such as "Amazon Email Virus" are used to infect systems via attachments. In this case, a website link is presented that leads to download of a malicious Microsoft Office Word attachment. Once downloaded and opened, this document will first demand permission to enable macros commands.

Enabling macro commands results in download and installation of the aforementioned Emotet virus. In other cases, the malicious attachment is an archive file that must be extracted, or an executable file that must be executed, and so on.

How to avoid installation of malware?

To avoid infections proliferated through spam campaigns, handle emails that contain web links or attachments with care. If the email was sent from a suspicious or unknown address, or the email seem irrelevant, do not open the presented link or attachment.

To avoid computer infection by viruses, have a reputable anti-spyware/anti-virus suite installed. These tools can prevent viruses from doing any damage. If you have already opened an "Amazon Email Virus" attachment, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.

Text presented in the "Amazon Email Virus" email message:

amazon

Your Amazon Today's Deals All Departments
Black Friday deals
Shop deals in every department

Dear client,

As a thank you for being an Amazon customer, we have placed a $500 Amazon credit for you. We will automatically apply the balance of your credit to any purchase in the Amazon only on BLACK FRIDAY 2018!

Save up to 50%
Promotional credit expires on November 23, 2018.
Get your BLACK FRIDAY coupon.

amazon.com

© 2018 Amazon.com, Inc. or its affiliates. All rights reserved. Amazon Amazon.com the Amazon.com logo and 1-Click are registered trademarks of Amazon.com, Inc. or its affiliates. Amazon.com 410 Terry Avenue M., Seattle, WA 98109-5210

Malicious attachment distributed via "Amazon Email Virus" spam campaign:

Another variant of "Amazon Email Virus" spam campaign (also distributes Emotet):

Text presented within this email:

Subject: Your Amazon Cyber Monday coupon
Dear client,
As a thank you for being an Amazon customer, we have placed a £500 Amazon credit for you. We will automatically apply the balance of your credit to any purchase in the Amazon only on CYBER MONDAY SALE

Malicious document attached to this email:

Another variant of "Amazon Email Virus" campaign's email (also distributes Emotet):

Text presented within this email:

Order Confirmation
Order #107-7532469-0651887

Hello -
Thank you for shopping with us. We confirmation that your item has shipped. Your order details are available on link below. The payment details of your transaction can be found on the order invoice.
Your estimated delivery date is:
Tuesday, December 18, 2018 - Thursday, December 20, 2018
Your shipping speed:
Standard

Payment Summary
Order #107-7532469-0651887
Item Subtotal: $11.13
Shipping & Handling: $2.87
Total Before Tax: $14:00
Estimated Tax: $1.26
Order Total: $15.26

To learn more about ordering, go to Ordering from Amazon.com.
If you want more information or need more assistance, go to Help

Thank you for shopping with us.
Amazon

The payment for your invoice is processed by Amazon Payments, Inc. P.O. Box 81226 Seattle, Washington 98108-1226. If you need more information, please contact (866) 210-9082

Screenshot of Emotet's process ("sedlauncher") in Windows Task Manager:

Another variant of Amazon email spam campaign which is now used for phishing purposes (the "Verify Now" link leads to a fake Amazon website which collects various credentials):

Text presented within this email:

Amazon

Your Amazon account has been locked

We detected that your account has tried to login another location. An unauthorized person may have accessed your account.

Date and Time: 16/01/2020 21:33:12 (GMT)
Browser: Google Chrome
Location: Germany:
IP : -

Therefore, security and integrity issues in Amazon's protection will cause your account to be automatically temporarily locked for security purposes. To protect your data, we have:

- The password of your account is deactivated.
- Undone changes made by this person.
- All open orders canceled. You can ignore any confirmation emails received for these orders.
- If purchases have been made, they will be refunded for your payment method.

To unlock it and continue using your Amazon account, we need you to verify your identity.

Click the button link below "Verify Now" and continue with the verification steps that will be followed by the terms and conditions.

Verify Now

Why you received this email
Amazon requires verification whenever an email address is selected as an Amazon account. Your Amazon account cannot be used until you verify it.

If you did not verify your identity within 24 hours to provide evidence on our services that it is your account. Otherwise, your Amazon account will be permanently locked.

Thanks again for your visit Amazon

This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.

Screenshot of yet another Amazon-themed scam email promoting a fake Amazon website (covenantactivations.co[.]za):

Text presented within:

Subject: [Amazon Security] We need to verify your identity.

Reset your information
Dear Customer,
Some information on your account appears to be missing or incorrect, please update your account information promptly so that you can continue to enjoy all the benefits of your account.
VERIFY NOW

If you don't update your information within 72 hours we'll limit what you can do with your account.
Your friends at Amazon Support.

Screenshot of the promoted website (covenantactivations.co[.]za):

Appearance of another Amazon-themed phishing email:

Text presented within:

Subject: [Amazon Verification] We need to verify your identity

amazon

We need to verify your identity.
Dear customer,
We've noticed that your account is out of compliance with our regulatory requirements. You might be facing account limitation and losing its important services such as buying, selling.
To resolve this, please take a moment to review your account's informations and confirm your identity.
Your Account
This request will be available for 48 hours.
© 1996-2020, Amazon.com, Inc. or its affiliates

Screenshot of yet another Amazon-themed spam email which is promoting a phishing website (fake Amazon login site - arnazone[.]com):

Text presented within:

Subject: Account verification

Account Verification
#3902-3035-309511
Dear Amazon user,
We've noticed multiple failed login attempts to your Amazon account and intrusion system has automatically limited access to your account to prevent possible unauthorized access. Please note that no unauthorized orders have been made on your account and no information has been changed.

VVe need you to take immediate steps by providing an extra layer of security to protect your Amazon account. Until then your account will remain limited to prevent any unauthorized actions. After confirmation. your account access will be fully restored and will be available to use at your convenience.
Verify Account
Sorry for any inconvenience caused.
Amazon.com
By placing your order, you agree to Amazon.com's Privacy Notice and Conditions of Use. Unless otherwise noted, items sold by Amazon.com LLC are subject to sales tax in select states in accordance with the applicable laws of that state. If your order contains one or more items from a seller other than Amazon.com LLC , it may be subject to state and local sales tax, depending upon the seller's business policies and the location of their operations. Learn more about tax and seller information.
This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.

Screenshot of a fake Amazon login site (arnazone[.]com):

Another example of a Amazon-themed spam email used for phishing purposes:

Text presented within:

Subject:【Amazon】 Refund Application
    
Amazon                                    Refund  Notification

Due to a sytem error you were double charged for your last order, A refund process was initiated but could not be completed due to errors in your billing information.

REF CODE:2550CGE

You are required to provide us a valid billing address

Click Here to Update Your Address

After your information has been validated you should get your refund within 3 business days

 
We hope to see you again soon

Amazon.com

Email ID: accout-update@amazon.com

Conditions of Use
Privacy Notice
Interest-Based Ads
© 1996-2020, Amazon.com, Inc. or its affiliates

Example of yet another Amazon-themed spam email used to spread a malicious MS Excel document:

Text presented within:

Subject: FBA Inbound Shipment Bill of Lading Ready (FBAD1PE9GN04)

 

Greetings from Amazon.com

The Bill of Lading document on your inbound shipment (FBAD1PE9GN04)

For your convenience, we have also attached a copy of the initial Bill of Lading to this email.

Your carrier contact information:
CENTRAL TRANSPORT INTERNATIONAL INC

You can track the status of all inbound shipments, online by visiting Seller Central at:
hxxps://sellercentral.amazon.com/gp/ssof/shipping-queue.html

If you've examined your shipment, but still need assistance,
please contact Seller Support.

Thank you for using Fulfillment by Amazon.

Sincerely,
Amazon Services

----------------------------------
This email was sent from a notification-only address that
cannot accept incoming email. Please do not reply to this message.
----------------------------------

Screenshot of the attached MS Excel document:

Another example of Amazon-themed spam email used to promote a phishing website:

Text presented within:

Subject: Some information on your account associated with this email seems to be missing or incorrect.

Customer Support
Dear Customer,

Some information on your account associated with this email seems to be missing or incorrect.

we need you to follow some steps to help us understand your case. Your account is on hold until we hear from you.

Check this now

We hope to see you again soon.
Amazon Team .

Instant automatic malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Quick menu:

• What is Amazon spam?
• Types of malicious emails.
• How to spot a malicious email?
• What to do if you fell for an email scam?

Types of malicious emails:

Phishing Emails

Most commonly, cybercriminals use deceptive emails to trick Internet users into giving away their sensitive private information, for example, login information for various online services, email accounts, or online banking information.

Such attacks are called phishing. In a phishing attack, cybercriminals usually send an email message with some popular service logo (for example, Microsoft, DHL, Amazon, Netflix), create urgency (wrong shipping address, expired password, etc.), and place a link which they hope their potential victims will click on.

After clicking the link presented in such email message, victims are redirected to a fake website that looks identical or extremely similar to the original one. Victims are then asked to enter their password, credit card details, or some other information that gets stolen by cybercriminals.

Emails with Malicious Attachments

Another popular attack vector is email spam with malicious attachments that infect users' computers with malware. Malicious attachments usually carry trojans that are capable of stealing passwords, banking information, and other sensitive information.

In such attacks, cybercriminals' main goal is to trick their potential victims into opening an infected email attachment. To achieve this goal, email messages usually talk about recently received invoices, faxes, or voice messages.

If a potential victim falls for the lure and opens the attachment, their computers get infected, and cybercriminals can collect a lot of sensitive information.

While it's a more complicated method to steal personal information (spam filters and antivirus programs usually detect such attempts), if successful, cybercriminals can get a much wider array of data and can collect information for a long period of time.

Sextortion Emails

This is a type of phishing. In this case, users receive an email claiming that a cybercriminal could access the webcam of the potential victim and has a video recording of one's masturbation.

To get rid of the video, victims are asked to pay a ransom (usually using Bitcoin or another cryptocurrency). Nevertheless, all of these claims are false - users who receive such emails should ignore and delete them.

How to spot a malicious email?

While cyber criminals try to make their lure emails look trustworthy, here are some things that you should look for when trying to spot a phishing email:

• Check the sender's ("from") email address: Hover your mouse over the "from" address and check if it's legitimate. For example, if you received an email from Microsoft, be sure to check if the email address is @microsoft.com and not something suspicious like @m1crosoft.com, @microsfot.com, @account-security-noreply.com, etc.
• Check for generic greetings: If the greeting in the email is "Dear user", "Dear @youremail.com", "Dear valued customer", this should raise suspiciousness. Most commonly, companies call you by your name. Lack of this information could signal a phishing attempt.
• Check the links in the email: Hover your mouse over the link presented in the email, if the link that appears seems suspicious, don't click it. For example, if you received an email from Microsoft and the link in the email shows that it will go to firebasestorage.googleapis.com/v0... you shouldn't trust it. It's best not to click any links in the emails but to visit the company website that sent you the email in the first place.
• Don't blindly trust email attachments: Most commonly, legitimate companies will ask you to log in to their website and to view any documents there; if you received an email with an attachment, it's a good idea to scan it with an antivirus application. Infected email attachments are a common attack vector used by cybercriminals.

To minimise the risk of opening phishing and malicious emails we recommend using Combo Cleaner Antivirus for Windows. 

Example of a spam email:

What to do if you fell for an email scam?

• If you clicked on a link in a phishing email and entered your password - be sure to change your password as soon as possible. Usually, cybercriminals collect stolen credentials and then sell them to other groups that use them for malicious purposes. If you change your password in a timely manner, there's a chance that criminals won't have enough time to do any damage.
• If you entered your credit card information - contact your bank as soon as possible and explain the situation. There's a good chance that you will need to cancel your compromised credit card and get a new one.
• If you see any signs of identity theft - you should immediately contact the Federal Trade Commission. This institution will collect information about your situation and create a personal recovery plan.
• If you opened a malicious attachment - your computer is probably infected, you should scan it with a reputable antivirus application. For this purpose, we recommend using Combo Cleaner Antivirus for Windows.
• Help other Internet users - report phishing emails to Anti-Phishing Working Group, FBI’s Internet Crime Complaint Center, National Fraud Information Center and U.S. Department of Justice.

▼ Show Discussion