Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management
Fake Amazon Gift Cards Deliver Dridex Trojan
Attackers Target Online Shoppers in the US and EuropeCybercriminals are targeting online shoppers in the U.S. and Western Europe with fake Amazon gift cards that deliver the the Dridex banking Trojan, the security firm Cybereason reports.
See Also: Bank on Seeing More Targeted Attacks on Financial Services
Since the campaign began earlier this month, the attackers have targeted thousands of victims in the U.S. and Western European countries, where Amazon is a popular shopping destination and has local websites, according to Cybereason researchers.
"2020, for obvious reasons, is a year where consumers changed their shopping habits towards doing most of their shopping online," the researchers note. "The campaign uses legitimate-looking emails, icons, and naming conventions to lure victims into downloading malicious attachments."
Amazon has issued updates about potential scams.
Attack Tactics
To begin their campaign, the attackers send a phishing email stating the recipient has received a free Amazon gift card. The email prompts the user to download or link to the gift card, which is contained in a malicious attachment, setting off one of three attack scenarios.
In the first, the attackers use malicious Word documents that claim to contain the gift card. The attackers then ask the victims to "enable content" to open the file. At this point, malicious macros are downloaded onto the victim's device.
"The command opens a pop up with a fake error message, tricking the user into thinking there was an error opening the file, when in fact the macro is being run in the background," the report notes.
The second method involves the attackers using SCR, or screensaver, files that enable them to bypass email security. The message includes Amazon-themed icons and naming conventions.
These SCR files contain a malicious VBScript, which, when executed, unpacks the Dridex malware for exfiltrating sensitive user data, the report adds.
The final infection vector is a VBScript file that is downloaded via a malicious link found in the body of the email. When clicked, the link executes the Dridex malware, according to Cybereason.
Dridex Campaigns
Dridex has been active since at least 2012, and the primary distributor is the Evil Corp cybercrime group, Cybereason notes.
In December 2019, two Evil Corp members, including the alleged ringleader, Maksim Yakubets, were indicted by the U.S. Justice Department on multiple charges. Both remain at large (see: Two Russians Indicted Over $100M Dridex Malware Thefts).
In addition to Evil Corp, Dridex is also linked to another financially motivated group called TA505, which has been distributing the Trojan since 2014, the report says (see: BEC Campaign Targets HR Departments: Report).