Getting shipment confirmation emails from Amazon even if you didn’t order anything spells trouble. You might think that someone may be gifting you with something or an Amazon bug means you’ve got some free goods heading your way, but think again, because all you might be privy to is the newest scam on the virtual block.
Security researchers from Solutionary have intercepted several of these emails making the rounds, and while they might seem legit, they’re nothing but bait to lure gullible users into visiting sites peppered with malware-pushing scripts.
The emails have subjects that read: “Your Amazon.com order of ‘Casio Men’s EEDN7D-1 G-Shock Solar Atomic Digital Sports Watch’ has shipped!” Several links in the email lead users to a compromised site, which then redirect them to another URL that attempts to download a .JAR file which takes advantage of a vulnerability described in CVE-2012-0507.
The email reads:
Thank you for shopping with us. We thought you’d like to know that we shipped this portion of your order separately to give you quicker service. You won’t be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available.
If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
There are several dead giveaways that these emails are a scam. First, they address users only with ‘Hello.’ If you’ve ever shopped on Amazon, you’d know that they greet customers with ‘Greetings’ followed by the customer’s full name. Real emails from Amazon display the actual URL paths to links in their emails, as well as includes the shipping address you entered for your order.
If you get any of these emails, hit delete and report it as spam, and spread the word to your friends. Remember to install an anti-virus program and keep it update to protect your computer.