{"id":12857,"date":"2022-03-28T07:25:12","date_gmt":"2022-03-28T07:25:12","guid":{"rendered":"https:\/\/myonlinesecurity.co.uk\/?p=12857"},"modified":"2022-03-28T07:25:12","modified_gmt":"2022-03-28T07:25:12","slug":"fake-amazon-associates-network-malspam-email-delivers-cthonic-banking-trojan","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/fake-amazon-associates-network-malspam-email-delivers-cthonic-banking-trojan\/","title":{"rendered":"Fake Amazon Associates Network Malspam Email Delivers Cthonic Banking Trojan"},"content":{"rendered":"
Following on from Yesterday\u2019s Form of payment for the third person malware scam, Today the malware scammers are imitating Amazon Associates to deliver their malware.<\/p>\n
An email with the subject of coming from Amazon Associates Network <erikam1@umbc.edu> with a malicious word doc or Excel XLS spreadsheet attachment delivers Cthonic banking trojan<\/p>\n
These are coming via a compromised umbc.edu email account. All the sites in the malware delivery chain are compromised sites<\/p>\n
They are using email addresses and subjects that will scare or entice a user to read the email and follow links to download & open the attachment. I am sure that any Amazon Associate will be more than surprised to suddenly have \u00a312000 in sales commissions and would be extremely worried about the Inland Revenue being notified about the amount.<\/p>\n
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.<\/p>\n
Amazon Associates Network has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.<\/p>\n
The email looks like:<\/p>\n
From:<\/strong> Amazon Associates Network <erikam1@umbc.edu><\/p>\n Date:<\/strong> Wed 11\/10\/2021 16:46 ( arrived 11\/10\/2021 09:05 UK time)<\/p>\n Subject:<\/strong> Amazon Associates Network: Your account<\/p>\n Body content:<\/strong><\/p>\n Good afternoon, In this letter, Amazon Associates Network employees notify you about the successful verification of your TAX NUMBER. We also confirm that the 12 000 GBP, that were received from sales, are available for withdrawal. Also we remind that sales reports are automatically sent to HM Revenue & Customs services. You can see sales reports and data about your account in the document: https:\/\/affiliate-program.amazon.com\/?&_encoding=F8&tag=fsdpojsdf-20&linkCode=2&linkIdK3ac1bcc61f987a\u2026. Regards, The Amazon Associates Team \u2014\u2014\u2014\u2014\u2014\u2014\u2013 Please note that you must use this e-mail address to access your account in Associates Central or when contacting Associates Customer Service. To manage your e-mail preferences, update your account settings. Message Category: Amazon Associates Network Updates (c) 20! 16 Amazon.com. All rights reserved. Amazon.com is a registered trademark of Amazon.com, Inc. Amazon.com, 410 Terry Avenue N., Seattle, WA 98109-5210, USA.<\/em><\/p>\n Screenshot:<\/strong><\/p>\n <\/p>\n The link in the email goes to a broken link it should be https:\/\/www.angelbasar.de\/skin\/form.php where it downloads Your account, statement.docm Current Virus total detections<\/a>: Payload Security<\/a> Where you can see the same screenshots as described yesterday where the content only appears after enabling and allowing macros to run.<\/p>\n This malware doc downloads from ( VirusTotal<\/a>) ( Payload Security<\/a>) Cthonic banking trojan<\/p>\n Email Headers:<\/p>\n