Beware of fake Amazon.com purchase order scams

As I write this I am looking at the fourth Amazon.com scam message I have received in the last 24 hours. These messages are professionally composed and very closely resemble an actual similar email that one receives after making a purchase at Amazon.com. However, there are some telltale differences, listed below, that give away the fake notices. All of the current scams have this subject:

Your Amazon.com Order (D2 numbers-7 numbers-7 numbers). This is exactly the same layout as a real confirmation for Amazon.com.

Before I tell you how to differentiate between a legitimate Amazon order confirmation and the fakes, I want to show you where you will end up if you are tricked into clicking on a link in a fake Amazon notice. In the sample of the fake notice before me, everything looks like an official order confirmation for an Amazon.com purchase, all the way down to the graphics and most, but not all of the text (see next paragraph). The main difference is that every single clickable link in the fake message leads to a domain that is not on amazon.com at all. All links lead to the same hostile location, via a 301 Apache web server redirect, created in an .htaccess file on a compromised VPS web server. The new location of this redirection is, in this instance: actcountry.ru:8080, which is hosted on a an nginx Russian web server, on an unconfigured dedicated server in France, belonging to OVH Hosting.

At this moment the payload is offline, but it could return at any time, or may appear on another server used in the domain redirection scripts. There is no doubt that the payload was not friendly to most browsers on Windows operating systems.

The rest of the details about identifying fake Amazon purchase confirmations, follow in my extended comments.

How to differentiate between real and fake Amazon.ocm purchase confirmations

The first exception giving away the fakes is in the salutation. The name of the purchaser in the fake is not your actual name, but your email address. If you buy something on Amazon, your actual first and last name, as listed in your Amazon account, will be listed in bold, in the beginning of the message. If you buy on Amazon and get an email with your email address after "Thanks for your order," - rather than your actual name, it is probably a scam.

The next giveaway is that if you hover your pointer over every link they will all display a location that does not start with http://www.amazon.com/. Most of the links in an official Amazon email lead to different folders and files, but, all of the links in the fakes lead the the same domain and file and an id number. Always hover before clicking on links in email messages.

The next giveaway is that the dollar amounts are not the same in several places. In an actual purchase of one item the amount paid is listed at least 5 times and is always the same. The only difference in price is sales tax or additional items. In the fake, only one purchase is declared, but, the prices vary at least 5 times! This includes a dead giveaway that first shows the grand total as one price, then 4 other totals that do not match.

Finally, the headers don't lie. If your email client allows you to display the incoming full headers, you should look at the first Received from line and see if it includes the following, or variation thereof: Received: from mm-notify-out-2103.amazon.com ([207.171.164.47]) - The notify-out port or mail server may vary, but it always ends with amazon.com, followed by parenthesis and an ip belonging to amazon.com. The fakes will not have amazon.com as the received from, but an offshore server, with an ip addresses traceable to Europe. In the fake I am looking at, the first received from is as follows: Received: from [59.92.38.93] (helo=ZSXOMGPE). That IP address belongs to the national internet backbone in India! Whois 59.92.38.93.

If you use Windows Live Mail, or Outlook Express, or Windows Mail, you can read the incoming hearers in the source code. Just right click on a message in your inbox and select Properties. If the message is already open for viewing, press ALT + Enter to display the headers. Other email clients will have their own key combination to display the headers, as will most webmail systems (see your email options link).

Finally, if you don't buy on Amazon.com, delete all such messages on sight! They are targeted at people who do have Amazon accounts and are meant to scam or infect them.

Using MailWasher Pro as an additional line of defense

I use MailWasher Pro to filter all incoming email before downloading it to my Windows Live email client. I already have a custom spam filter in place that detects and deletes these Amazon scams. It is as follows:
[enabled],"Amazon.com Scam","Amazon.com Scam",16711680,AND,Delete,TakesPrecedence,From,contains,@amazon.com,EntireHeader,doesn'tContainRE,"^Received:\ from\ (mm-[a-z]{5,8}|smtp)-out-.{4,7}\.amazon\.com\ $\[[\d\.]{11,15}\]$$",Subject,contains,Amazon.com

This filter is for MailWasher versions up to 6.5.4. I am rewriting my filters and my MailWasher product description page to reflect the changes and new filter format.

Trend Micro Internet Security products,

for home and office users, use in-the-cloud malware definitions that are updated every day, all day, as soon as new or altered strains of viruses and other malware are detected in the wild and analyzed. By offloading the bulk of these ever changing virus definitions to cloud servers, the load on your computers is greatly reduced. All users of Trend security programs are instantly protected from hostile web pages laden with malware exploits and hostile email, by the Trend Micro Smart Protection Network.