June 23, 2010, 5:37 PM — I don't know about you, but my inbox has been filling up over the past few days with impressively real-looking spam from Amazon. I get a lot of emails from Amazon anyway (my family is sadly addicted to Amazon Unbox video on demand) but these looked just a little too funky. So naturally I couldn't resist investigating a bit further.
I thought they were phishing spam, aiming to social engineer my Amazon log on and password out of me so they could charge stuff to my account. In fact, it's far worse -- they're trying to infect my computer with a Trojan horse, probably in order to hijack it and conscript it into their zombie army.
The original scam email looks like this:
Compare that to a real email from Amazon, shown here (I've redacted my personal info, natch):
Pretty similar, eh? The differences are subtle, but when you look at them side by side they begin to show up. The key of course, is that all of the links in the bogus email point to a Korean "booksalon" site that, if you visit, will infect your system with a Trojan.
Here's the key.
Clue #1. The real email is addressed to me by user name, not by email. A spammer will know your email, but not your Amazon user name.
Clue #2. The real email shows my billing address. Again, not info a spammer is generally privvy too, thank the lord.
Clue #3. This is the big one. This email is desperately trying to get you to click a link to a page on Booksalon.kr. Most phishing spam is more subtle than this; usually only one or two links lead to a site that tries to fool you into giving up your password, with the rest all leading to the real site. This message is more of a brute force attack -- all it needs to do is convince you to click a link out of curiosity to infect your machine.
Clue #4. Not only can these scammers not do math, they can't even use the same dollar amounts from one part of the email to the next. Clearly somebody whose native alphabet isn't English Arabic. Given the .kr domain, it's a safe bet it's coming from East Asia.
Kaspersky won't let me get to that Korean site, tossing up the following warning.