The standard order confirmation email, a staple of ecommerce processes and ongoing marketing campaigns, continues to be a favorite malware delivery method for criminals. One long-lived malicious threat known as ASProx reared its head again as spoofed emails bearing Walmart, Costco, and Target branding have been found to be delivery mechanisms for the malware.
The return of ASProx as noted by security firm Malcovery looks a lot like its December 2013 appearance. Emails appearing to be legitimate messages from the like of Home Depot or Best Buy instead held links that would permit ASProx to drop its payload on a victim’s machine.
ASProx is part of a long-lived botnet, dating back to 2008. Once a machine is infected, the malware acts to turn that PC into yet another delivery machine for the botnet’s spam messages.
Subject lines delivered by ASProx spam look like what the typical shopper might expect to see during the holiday shopping season. “Order Confirmation,” “Thank You for Your Order,” and “Order Status” offer tempting enticements to open the email and accept it as legitimate.
The mechanism for getting the malware from the email to the potential target’s machine generally required the reader to click a link in the message. That link would go to a site, which in turn would attempt to place the malware on the visiting computer.
As the Malcovery research shows in its samples, the language in the emails isn’t well-crafted. Lines like “the personal data of the recipient coincide with yours” are clumsy, but busy people may not read all their emails as critically as they might otherwise.
Fortunately it’s easy enough to counter such phishing attempts, whether it’s an ASProx message or any similar malicious manipulation of an ecommerce message. The ASProx links go to sites where the domain names don’t match the name of the retailer they are spoofing.
By typing the site’s name, like www.walmart.com, into the web browser’s address bar, the browser will go to that site where the shopper can login as normal to see any relevant order statuses available.