{"id":11539,"date":"2022-04-11T09:11:32","date_gmt":"2022-04-11T09:11:32","guid":{"rendered":"https:\/\/myonlinesecurity.co.uk\/?p=11539"},"modified":"2023-04-04T11:23:10","modified_gmt":"2023-04-04T11:23:10","slug":"locky-delivered-by-spoofed-your-amazon-com-order-has-dispatched","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/locky-delivered-by-spoofed-your-amazon-com-order-has-dispatched\/","title":{"rendered":"Locky Delivered By Spoofed Your Amazon.com Order Has Dispatched"},"content":{"rendered":"
After their week\u2019s holiday \/ slow down the Locky affiliates are really hitting hard this morning. back to an old regular email with the subject of Your Amazon.com order has dispatched (#713-7377848-7745100) ( random numbers) pretending to come from Amazon Inc <auto-shipping4@amazon.com> with a zip attachment matching the subject<\/p>\n
It looks like Locky has changed the encrypted file extension to .aesir as well as the C2 to \u201c\/information.cgi\u201d<\/p>\n
We can all expect to see a lot more spoofed \/fake delivery notifications over the next few weeks with the oncoming holiday season and Black Friday & Cyber Monday online shopping days filling our inboxes with both wanted and unwanted emails, either encouraging us to spend more or thanking us for our sales and telling us when our orders will be delivered.<\/p>\n
They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.<\/p>\n
These do not come from Amazon in any way.<\/p>\n
21 November 2021: ORDER-713-7377848-7745100.zip : Extracts to: KBDGUB350132.js Current Virus total detections: MALWR shows a download of an encrypted file from http:\/\/jmltda.cl\/hfvg623?wCTlMeE=wCTlMeE which is renamed by the script to wCTlMeE1.dll ( VirusTotal) C2 are http:\/\/89.108.73.124\/information.cgi |<\/p>\n
http:\/\/91.211.119.98\/information.cgi | http:\/\/185.75.46.73\/information.cgi Payload Security<\/strong> (https:\/\/www.hybrid-analysis.com\/sample\/7d8f69106ca48bd9c3946487e9c0bce95347a6705487b23bc2df7e3d51469ba0?environmentId=100) shows the same<\/p>\n They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.<\/p>\n One of the emails looks like:<\/p>\n From:<\/strong> Amazon Inc <auto-shipping4@amazon.com><\/p>\n Date:<\/strong> Mon 21\/11\/2021 09:40<\/p>\n Subject:<\/strong> Your Amazon.com order has dispatched (#713-7377848-7745100)<\/p>\n Attachment:<\/strong> ORDER-713-7377848-7745100.zip<\/p>\n Dear Customer,<\/em><\/p>\n Greetings from Amazon.com,<\/em><\/p>\n We are writing to let you know that the following item has been sent using Royal Mail.<\/em><\/p>\n For more information about delivery estimates and any open orders, please visit: http:\/\/www.amazon.com\/your-account<\/em><\/p>\n Your order #713-7377848-7745100 (received November 20, 2021)<\/em><\/p>\n Note: this e-mail was sent from a notification-only e-mail address that can=<\/em><\/p>\n not accept incoming e-mail. Please do not reply to this message.=20<\/em><\/p>\n Thank you for shopping at Amazon.com<\/em><\/p>\n \u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014-<\/em><\/p>\n Amazon EU S.=C3=A0.r.L.<\/em><\/p>\n c\/o Marston Gate<\/em><\/p>\n Ridgmont, BEDFORD MK43 0XP<\/em><\/p>\n United Kingdom<\/em><\/p>\n \u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014-<\/em><\/p>\n These malicious attachments normally have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. A very high proportion are Ransomware versions that encrypt your files and demand money ( about \u00a3350\/$400) to recover the files.<\/p>\n All the alleged senders, amounts, reference numbers, Bank codes, companies, names of employees, employee positions, email addresses and phone numbers mentioned in the emails are all random. Some of these companies will exist and some won\u2019t. Don\u2019t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found.<\/p>\n The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.<\/p>\nBody Content:<\/strong><\/h3>\n
Screenshot:<\/strong><\/h3>\n