I got a big batch of these today. They’re similar to the fake Amazon HDTV receipts I wrote about in September. These aren’t as lame-looking as most of the spam I write about: they use the right logos, fonts, and typefaces. This site says they lead to malware. The giveaways are: 1) Hover over the links and see where they point before clicking (that’s the best way to prevent phishing attacks and malware infections from spam). 2) The Amazon receipts have no details about what I purchased. 3) I got a dozen of the Amazon spams. I certainly didn’t buy a dozen items yesterday. 4) One of the PayPal receipts was poorly formatted, but the spammers wised up and fixed that quickly. 5) Some mangled English, but not too bad.
One note on the Amazon spams — they include payments for gift certificates in odd amounts, like $5.99, $2.99, $4.99. I’m pretty sure you can’t buy a gift certificate for $5.99. (I do like the sender address no-try-to-reply@amazon.com.) Also, like a lot of spams, the subject lines end with a period. Is this built into the tool? Who adds punctuation to email subjects?
Senders:
Amazon.com [digital-no-reply@amazon.com]
Amazon.com [digital-notifier@amazon.com]
Amazon.com [store-news@amazon.com]
Amazon.com [no-try-to-reply@amazon.com]
PayPal [service@paypal.com]
PayPal [noreply@paypal.com]
Subjects:
Your Amazon.com order confirmation.
Your Amazon.com Kindle e-book order confirmation.
Your Amazon.com order receipt.
Your Kindle e-book Amazon.com receipt.
Your Amazon.com Kindle e-book order.
Your Paypal.com transaction confirmation.
Your Ebay.com transaction details.
Your Ebay.com purchase receipt.
Text:
Here’s the text of one of the Amazon messages. They were all basically the same except for the details.
Respective Amazon.com Customer,
Thanks for your order, robert@rlweiner.com!
Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.
Order Information:
E-mail Address: robert@rlweiner.com
Billing Address:
166 Summerset Drive
Greenwisch SC 92717-4157,,FL 67151}
United States
Phone: 747-099-4260
Order Grand Total: $ 65.99Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More
Order Summary:
Details:
Order #: C32-6356600-4941029
Subtotal of items: $ 65.99
——
Total before tax: $ 65.99
Tax Collected: $0.00
——
Grand Total: $ 60.00
Gift Certificates: $ 5.99
——
Total for this Order: $ 65.99
Here’s one of the PayPal spams:
Dec 5, 2012 07:03:40 EST
Transaction ID: FWASD05E081JTT6G1Hello robert@rlweiner.com,
You have made a payment of $450.48 USD to Kurtis Walls.It may take a few moments for this transfer to show up in your account.
________________________________________
Seller
Kurtis-Walls@ googlemail.com Instructions to seller
You haven’t entered any instructions.
Shipping address – confirmed
Hendrerit Ave.
Manlius SC 79035-0085
United States Shipping details
The seller hasn’t provided any shipping details yet.Details Qty. Amount
PHOTAX PLASTIC SLIDE CASE PLUS 175 x 35mm SLIDES
Item# 671512376273 46 $450.48 USD
Shipping and handling $14.99 USD
Insurance – not offered —-
Total $450.48 USD
Payment $450.48 USDPayment sent to Kurtis Walls
Receipt ID: C-FJY21UQ72O68WD7H9
Problems with this operation?
You have 45 days from the date of the operation to issue a dispute in the Resolution Center.Please Not try to reply to this message. automative notification system unable to accept incoming email. For fast answers to your problems, visit our Help Center by clicking “Help” located on any PayPal page.
PayPal Email ID PC873
Here’s what seems to have been a test message from the PayPal spammer.
hello {mailto_username}@{mailto_domain},
you {l4} a payment of $557.48 usd to {_firstname} {_lastname}.it may take a {l5} for this {l6} to {l7} in your {l8}.
________________________________________
{l9}
{_firstname}{la}{_lastname}@{lb} instructions to {lc}
you haven’t entered any instructions.
shipping address – confirmed
{ld} {le}
{lf} {l10} {l11}{digit}-{digit}
united states shipping details
the seller hasn’t provided any shipping details yet.
{l12} qty. amount
{l13}
item# {l14}{digit} {number} $557.48 usd
shipping and handling ${l15}.{l16} usd
insurance – not offered —-
total $557.48 usd
payment $557.48 usdpayment sent to {_firstname} {_lastname}
receipt id: {l17}-{symbol}
{l18} with this {l19}?
you have 45 days from the date of the {l1a} to {l1b} a dispute in the resolution center.please {l1c} reply to this message. {l1d} system {l1e} accept incoming {l1f}. for {l20} answers to your {l21}, visit our help center by clicking “help” located on any paypal page.
paypal email id p{symbol}{digit}
Sample Amazon spam:
Sir,
I do received the same mail … ebay purchase receipt
here is my received mail details..
let me know what should I do
thanks n regards
palaniappan
Hello appu1189@rediffmail.com,
You made a payment of $861.48 USD to Vivian Jones.
It may take a while for this transaction to appear in your transactions history.
Merchant
Vivian-Jones@aol.com
Instructions to seller
You haven’t entered any instructions.
Shipping address – confirmed
Venenatis Rd
San Paolo WY 15849-4411
United States
Shipping details
The seller hasn’t provided any shipping details yet.
Description Qty. Amount
PHOTAX PLASTIC SLIDE CASE PLUS 175 x 35mm SLIDES
Item# 786521983131 80 $861.48 USD
Shipping and handling $19.49 USD
Insurance – not offered —-
Total $861.48 USD
Payment $861.48 USD
Payment sent to Vivian Jones
Receipt ID: D-1OXP2ZEPG8SKP80VS
Problems with this transaction?
You have 45 days from the date of the purchase to issue a dispute in the Resolution Center.
Please don’t reply to this message. automative notification system not configured to accept incoming messages. For immediate answers to your issues, visit our Help Center by clicking “Help” located on any PayPal page.
PayPal Email ID PX403
Don’t click on any of the links. Just delete it.
My wife received 4 of these over the last two days. She clicked one of the links but the AVAST virus checker saved her.
This is an effective phishing email because many people, like my wife, are making amazon purchases for Christmas. This email’s subject is ‘you order receipt’ so it makes it believable. Then the part that gets them concerned is the billing address that is not theirs with a charge attached, so the reflex is to click the link and find out what the problem is.
I compared the sender’s email address with the valid one. Amazon’s is ‘auto-confirm@amazon.com’ – the bogus email is simply ‘amazon.com’.
As I recommended to her, any email that causes alarm or concern should cause you to be suspicious. That phisher uses this human emotion to prompt the receiver to act (click) without thinking.
Well done Robert!
I received one of these this morning and was impressed by just how convincing it was. How easy it would be to just click a link just as one does for so many other routine on-line transaction correspondences. I especially liked your pointing out the punctuation in the subject line. Cute!
Of course, the real crooks are the “legitimate” businesses that dupe unsuspecting consumers into signing up for services and products that result in reoccurring charges from which the consumer must opt-out. This parasitosis hidden in plain sight has grown to epidemic proportions. So far at least, no one even tries to calculate the losses produced by this ubiquitous form of thievery.
I looked around your web site and it may be that we share some interests. I was a student of W. E. Deming and consulted to organizations along those lines for many years. If that name rings a bell for you then you get my point.
Anyway, thanks for the phishing heads-up,
Marc
Santa Cruz, CA
i got one of these
Billing Address:
302 Class Donec Road Ave.
GAHANNA SC 99617-4232,,FL 67151}
United States
Phone: 614-42
the zip code field was a dead give away…….. why would it show two if real?(if those are in fact zipcodes for florida and south carolina)
I got that email yesterday.
If you hover over the links you see that they direct you to the domain “gonzalezlovera.com”
According to http://whois.domaintools.com, the administrator of that domain is Marco Pirrongelli in Miami FL. Google this name and one of the first things that pops up is a registered sex offender in Orlando.
Interesting.
Derek,
Interesting. But it’s often the case that the web sites these links point to have been hacked, and the site owners don’t know this is happening. You’d have to be pretty stupid to set up a malware site in the U.S. on your own site. Of course, it’s best to never underestimate people’s stupidity.
Robert
The PayPal scam is still out there. Two new ones this week:
Version 1:
You sent a payment of $149.49 USD to Iwan Brave (movinglyhya783@tamalehutcafe.com)
Thanks for using PayPal. To see all the transaction details, log in to your PayPal account.
It may take a few moments for this transaction to appear in your account.
________________________________________
Seller
Iwan Brave
movinglyhya783@tamalehutcafe.com
Note to seller
You haven’t included a note.
Shipping address – unconfirmed
19 NORFOLK ST
SACRAMENTO, FL 98908-7775
United States Shipping details
USPS Priority Mail
Description Unit price Qty Amount
TAG Heuer Men’s WAP9392.BA1055 Aquaracer Black Dial Watch
Item# 406518236870 $149.49 USD 1 $149.49 USD
Shipping and handling $0.00 USD
Insurance – not offered —-
Total $149.49 USD
Payment $149.49 USD
Charge will appear on your credit card statement as PAYPAL Iwan Brave
Payment sent to movinglyhya783@tamalehutcafe.com
Version 2:
You sent a payment of $149.49 USD to Imran Maqsood (dearsbo6@concordequipment.com)
Thanks for using PayPal. To see all the transaction details, log in to your PayPal account.
It may take a few moments for this transaction to appear in your account.
________________________________________
Seller
Imran Maqsood
dearsbo6@concordequipment.com
Note to seller
You haven’t included a note.
Shipping address – unconfirmed
7101 STATE HWY
GETTYSBURG, TN 80279-7314
United States Shipping details
USPS Priority Mail
Description Unit price Qty Amount
Invicta Men’s 5225 Speedway Collection Chronograph S Watch
Item# 282425939106 $149.49 USD 1 $149.49 USD
Shipping and handling $0.00 USD
Insurance – not offered —-
Total $149.49 USD
Payment $149.49 USD
Charge will appear on your credit card statement as PAYPAL Imran Maqsood
Payment sent to dearsbo6@concordequipment.com
Thanks Robert!
I got this spam yesterday from auto-confirm1116@amazon. Subject line: Your Amazon.com order #: 7A-6155738-5714178.
Good evening,
Thank you for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.com.
Order Details
Order #:7A-6155738-5714178
Placed on September 26, 2013
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon.
Amazon.com
AttachmentsORDER-R7D-1937772-2454604.zip
………
I was concerned someone had used my account to make an order, but confirmed that this was in fact a spam. What danger do I face from this kind of spam? I tried to open the attachment to no avail. I suppose I should not have clicked on the attachement.
Thanks,
Kenny