It is almost the end of 2013 and online shopping is booming with an increase in orders being made on several online web shops. This also affects the numbers of dispatched orders by courier and this is an excellent opportunity to send out some fake order details emails with an attached virus or trojan, something that we really see happen during the last few days.
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “order #852-9045074-5639529” or “order ID801-7322179-4122684”.
This email is send from the spoofed address “”AMAZON.CO.UK” <SALES@AMAZON.CO.UK>”and has the following body:
Thank you for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
Order ID266-3050394-3760006 Placed on December 2, 2013
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon. Amazon.co.uk
The attached ZIP file has the name Order details.zip and contains the 86 kB large file Order details.exe.
The trojan is known as Trojan-PWS.Fareit, Trojan.Inject.RRE, PE:Malware.FakeDOC@CV!1.9C3C or Mal/Generic-S.
At the time of writing, 5 of the 46 AV engines did detect the trojan at Virus Total.