Yet another Amazon phish. Just mentioning this one because the phisher got lazy & left the zip file with his contact details etc behind instead of deleting it.
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.
Link goes to http://220.127.116.11/recordings/new.amazon/
Where you see a typical Amazon phishing page
now lets take a look at the root of the site http://18.104.22.168/recordings/ where we see a message “Sory This Website Hacked By Emad”
Ooh! I wonder if they left behind a http://22.214.171.124/recordings/new.amazon.zip
What’s inside update\email ?
php files with… what do you know! Emad Mosad’s email address
$bilsnde = “firstname.lastname@example.org“;