Another day closer to Christmas, the shopping urgency (anxiety?) increases, and cybercriminals are looking to take advantage of unsuspecting users. This week the EdgeWave Threat Detection Center caught a very impressive phishing campaign spoofing Amazon. While this falls squarely within the “always be sure before you click”, the apparent legitimacy is sure to catch enough users to make for a very happy holiday for at least one criminal group.

Let’s start with an example of a legitimate Amazon order confirmation email.

Sender: Amazon.com <auto-confirm@amazon.com>

Amazon Confirmation Email

And now the phishing sample.

Phishing Sample

The phishing email was sent from colchonesrelax.com.co, a bed retailer in Columbia. The gateway used for sending the email correlates to the retailer, indicating a compromised email server.

Compromised Email Server

While there are enough differences to generate suspicion, it’s an impressive fake and easy for many users to consider legitimate and happily click the Order Details button. And clicking the Order Details button is the last thing anyone should do with this email.

Clicking Order Details connects to unique subdirectory at lancang.desa.id and downloads a Microsoft Word document titled order_details.doc. Opening this document activates a macro that contacts palapa2.lazeon.com at IP 101.50.1.12 (the same server that hosts lancang.desa.id, located in Indonesia) and downloads keyandsymbol.exe to a new created folder at \AppData\Local\keyandsymbol. When executed, keyandsymbol.exe then reaches out to www.funtelo.com and www.ceeetwh.org to download additional components. Interestingly, these other servers are in Houston and Lansing. Playing Dora the Explorer for a moment, we’ve encountered a compromised email server in Columbia sending phishing email with a link to a server in Indonesia that downloads malware which then contacts compromised servers in the United States. The holidays are truly global!

To prevent detection by traditional email security gateways, the campaign uses various iterations of certain details. EdgeWave analysts have seen multiple subdirectories on the compromised web server used to deliver the initial malware:

  • /AMAZON/Details/122018
  • /AMAZON/Clients_Messages/12_18
  • /AMAZON/Clients/122018

We have also seen multiple subject lines:

  • Your Amazon.com order
  • Order #153-5168164-0006599
  • Amazon order details
  • Your order 162-2672000-0034071 has shipped
  • Order #188-1301600-0441976 details

It’s important to remember that cybercriminals are very aware of current technologies, and spend time learning how to bypass traditional email security gateways. The iterations listed above are liable to fly right past most gateways, landing in the user’s Inbox – nirvana for the modern cybercriminal. This is exactly why EdgeWave believes the Inbox is the next cybersecurity battleground.

For security professionals.

  • Keyandsymbol.exe
    • MD5 – 3b3a332694ec943e9e0238a9885ef91a
    • SHA256 – e9b7d8ac373674cfd789ac2cb9681a5a2abc4d34a8e1eeeae1ae2a799d2ba01a
  • Block communications TO/FROM domain and IP lancang.desa.id – 101.50.1.12
  • Be cautious of traffic TO/FROM domain and IP www.funtelo.com – 192.185.2.61
  • Be cautious of traffic TO/FROM domain and IP www.ceeetwh.org – 184.106.55.45