A new spam variation, Amazon Order Confirm?

A cow-orker received an email purporting to be from Amazon. Here are some of the data points included:

Order Confirmation, Order #170-2506927-9509503

Your estimated delivery date is Thursday, May 30, 2013

Placed on Wensday [sic], May 29, 2013

Your order was sent to Sophia Turner (not her name), 1433 Columbia Drive, San Paolo, SC 06104-5139

(Item ordered): Sanyo I554R6080 55-inch 1080p 400 Hz LED Slim 3D HDTV (Silber [sic]), sold by MODIA, $1051.83

Order Total: $1051.83

Other than the misspelling of Wednesday and Silver, it has all the Amazon logos and typical order confirmation layout. However, all of the links go to a (different) page at frontsighttacticalanddefense.com, which, if legitimate, is an arms-sale site.

My cow-orker says she did not order this item, and for a thousand dollars, would certainly remember it if she did. The name Sophia Turner is not hers.

A google search on all key phrases in this email, including the Sanyo model number, the ZIP (which is for CT, not SC) turns up nothing, so numbers and names are probably randomly generated.

I can only guess that the sender hoped she would click on one of the links, like “my account,” and be sent to a malware site. Is this the most likely interpretation, or is there a better one?

Multiple personality disorder? :stuck_out_tongue:

It’s a malware scam.

Looks like a pretty standard phishing attempt to me.

Agreed, they are hoping she will use a fake site to login and check an amazon account. Once they have her info they can generate an order and have it overnighted to a different address.

I just learned of a similar email sent to someone else in our office. It is an identical template, but all data is different, even the link sites. Pretty sophisticated spammer, as it makes it impossible to google any key phrases.

The cow-orker clicked on the “my account” link, and whatever came up made her suspicious, so she didn’t go any further. She also contacted her credit card company and determined that the “order” was not charged to her CC. I wasn’t able to determine if the link did anything to her computer, but her anti-virus didn’t detect anything amiss up to that point.

My guess is it’s a standard phishing attempt, and would have asked for a CC number and password at some point.

I’m just curious if you realize that you misspelled “cow-orker” three times. Or am I the one in error? Shouldn’t it be either “co-worker” or “coworker”?

Cow-orker. A Dilbert-ism.

It’s a joke spelling, suggesting that one’s coworker is a cow.

This isn’t a new variation, I’ve seen fake Amazon confirmation orders for several years.

I have gotten Amazon, TigerDirect [both of which I have accounts with] and NewEgg, which I don’t. Believe me, I know when I order and I rarely bother looking at some email claiming I have ordered when I have not. [as a hint - I have a very specific email address I use for merchant accounts, and if something comes in not on that account it is definitely spam! It isn’t my name, it is a random number letter combination one of my Goddaughters made up for me about 15 years ago.]

I am wondering if they are targeting people who share an email with a spouse or do a lot of ordering and might reasonably have outstanding orders.

How would they know two people are sharing an email (other than “bobandmary@…”)? Or how would a spammer know if you did a lot of ordering?

In this immediate case, I think they are harvesting from a list of local real estate agents, or possibly one company. The two samples I have obtained were received within one day of each other, and both are agents who work for the same office.

That was how I was able to compare the texts & links.

I feel left out. I haven’t gotten one yet, and I work for the same office, too.

Since one recipient clicked on a link, I assume the spammers now have her on the hotlist as someone who not only exists, but is a little on the gullible side, even if they didn’t obtain her vitals. I imagine she will be getting more of these in the future. Maybe the spammers even sell such names to other crooks. No honor among theives, eh?

Not a cow. A person who orks cows.

I googled the model number and I’m not sure that TV exists (only brings up this thread). Also, I don’t think they normally sell 400Hz TVs on the US market; the equivalent would be 480Hz. So one would be unlikely to ship to SC or WI.

Yep. Much like I said in the OP:

Oops, missed that. Still, that would be a Europe/etc. TV. I’m surprised they saddled her with a “normal” name; 419 scams often have very odd monikers.

Isn’t it odd to use a registered site for the redirect? I mean, it’s usually an IP address or some random text, not such a “dedicated” address.

I’m not sure the address given when you mouseover is the address where the response is actually sent – maybe someone more knowledgeable than I can tell us. I only have two samples to compare, and both have different domains. The second URL shown by mouseover was consulta.abogado.su (Russia, with Spanish flavors). I don’t know if that URL actually exists, and I’m reluctant to try accessing it.

While I think it is probably, as mentioned, a phishing e-mail, I normally send those types of e-mails to abuse@ or info@ the website. It doesn’t do any harm passing it along and might alert the site that there is some abuse going on.

Bob

Amazon’s reporting site is stop-spoofing@amazon.com

Apparently, although it’s possible to give a fake mouseover URL using JavaScript (Google actually does this - you can see the real URL when the page doesn’t load properly), it’s not possible to do this in an email (phew).

That’s what I meant about the URL, I always thought URLs that made sense were more “valuable”.