Amazon misused in phishing campaign

For some time, alleged phishing mails targeted various institutions but aren’t really phishing for the victims’ credentials, but are redirecting them to a fake Canadian Pharmacy website, are very widespread. (Don’t get this wrong, we are not missing “real” phishing where a fake email takes the recipient to a website almost identical to the real one in order to make you login.)

The method stays the same, but the targets are changing now. Over the weekend plenty of phishing emails that on first sight are targeting amazon.com, which really redirect to a software shop then though, found their way into our spam traps.

In the past, for example for some Facebook Phishing / spam, the spammer played everything on one card by using the same domain everywhere. That changed now. All the pictures referred in the email are from the amazon.com website. A nice way of improving the ROI, by minimizing the cost for the bandwidth. The final target link is also, as in the previous example, pointing to a dedicated domain.

Searching for some information reveals a correctly registered domain name in the Ukraine, but owned by a private person from Moscow, Russia.

Apparently, there is no connection to the previous owner. But this doesn’t mean that they aren’t part of the same group.

We have noticed a very interesting issue with both websites: If you click anywhere on the links, the subsequent pages will be displayed in the language of the country you are located. In my case, I’ve seen the pages in German.

Being a software shop, and seeing on the front page that they sell nearly everything, I tried to search for Avira software. And I found Avira AntiVir Premium and Avira Premium Security Suite – in version 9. In April 2010 we released version 10 of our software and version 9 is not being sold anymore (but we offer a gratis upgrade to v.10). However, there is a “mistake” there: AntiVir Premium costs 19.95 EUR on Avira’s website and not 29.95 EUR. They got, however, the pricing of the Avira Premium Security Suite right.

The point is to show people that you offer a great discount and they will forget about the “rest” (like the real price) and concentrate only on what they have in front of them. The “rest” in our case is also: A fake shop which will, probably, steal your credit card data and misuse them, illegal/pirated/malware infected software and so on.

Please try to find discounts for these products somewhere else, because the same Avira Premium Security Suite will detect this email as Phishing and the URL as spam.

Sorin Mustaca
Data Security Expert