Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management

Fake Amazon Gift Cards Deliver Dridex Trojan

Attackers Target Online Shoppers in the US and Europe
Fake Amazon Gift Cards Deliver Dridex Trojan
Cybercriminals are using fake online Amazon gift cards to distribute the Dridex banking Trojan.

Cybercriminals are targeting online shoppers in the U.S. and Western Europe with fake Amazon gift cards that deliver the the Dridex banking Trojan, the security firm Cybereason reports.

See Also: August Spotlight | Automated Threat Intelligence Correlation

Since the campaign began earlier this month, the attackers have targeted thousands of victims in the U.S. and Western European countries, where Amazon is a popular shopping destination and has local websites, according to Cybereason researchers.

"2020, for obvious reasons, is a year where consumers changed their shopping habits towards doing most of their shopping online," the researchers note. "The campaign uses legitimate-looking emails, icons, and naming conventions to lure victims into downloading malicious attachments."

Amazon has issued updates about potential scams.

Attack Tactics

To begin their campaign, the attackers send a phishing email stating the recipient has received a free Amazon gift card. The email prompts the user to download or link to the gift card, which is contained in a malicious attachment, setting off one of three attack scenarios.

In the first, the attackers use malicious Word documents that claim to contain the gift card. The attackers then ask the victims to "enable content" to open the file. At this point, malicious macros are downloaded onto the victim's device.

"The command opens a pop up with a fake error message, tricking the user into thinking there was an error opening the file, when in fact the macro is being run in the background," the report notes.

The second method involves the attackers using SCR, or screensaver, files that enable them to bypass email security. The message includes Amazon-themed icons and naming conventions.

These SCR files contain a malicious VBScript, which, when executed, unpacks the Dridex malware for exfiltrating sensitive user data, the report adds.

The final infection vector is a VBScript file that is downloaded via a malicious link found in the body of the email. When clicked, the link executes the Dridex malware, according to Cybereason.

Dridex Campaigns

Dridex has been active since at least 2012, and the primary distributor is the Evil Corp cybercrime group, Cybereason notes.

In December 2019, two Evil Corp members, including the alleged ringleader, Maksim Yakubets, were indicted by the U.S. Justice Department on multiple charges. Both remain at large (see: Two Russians Indicted Over $100M Dridex Malware Thefts).

In addition to Evil Corp, Dridex is also linked to another financially motivated group called TA505, which has been distributing the Trojan since 2014, the report says (see: BEC Campaign Targets HR Departments: Report).

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.