Spammers target Amazon holiday shoppers with Trojan-infected emails

News by Doug Drinkwater

Researchers at Malwarebytes say that spammers are targeting Amazon account holders with emails carrying two different types of Trojan malware.

Researchers at Malwarebytes say that spammers are targeting Amazon account holders with emails carrying two different types of Trojan malware.

Christopher Boyd gave a detailed breakdown of the spam messages on the firm's blog, where he said that suspicions were raised after receiving purported Amazon order invoices dated on the 8th and 9th of December.

The emails, which targeted those with Microsoft Live email accounts, were attached to infected ZIP files which falsely claim to contain both the order invoice and order details.

Boyd found that there were two types of Trojans – the Trojan.Inject.RRE (virus score 28/49) and Trojan.Zbot.ML (virus score 19.49) – inside the ZIP files, but said that Outlook/Hotmail accounts caught both messages as spam. He added that the webmail client was able to pick up that the emails were infected with an unknown virus.

The analyst added that Amazon delivery notice spam emails are common at this time of year, but nonetheless urged users to never download and run executive from a random file. He also said that users should familiarise themselves with the Amazon security page, the sender's email address and check to see if there are any other attached email addresses.

“If Amazon were going to email you about an order, they wouldn't CC in about a dozen or more additional email accounts belonging to somebody else,” he wrote. “Smart scammers would use BCC – take advantage of their laziness and learn to spot the red flags.”

“Amazon shoppers will continue to be popular targets for scammers throughout December, and fake orders/cancellations/invoices will be delivered straight to their doorstep for a few more weeks yet.”

When speaking to, Boyd said that spammers often targeted holiday shoppers too “rushed off their feet” to check email authentication, but said that the Trojans themselves are unlikely to be entirely new threats.

“Many of the files seen in this spam run are often reworked versions of older threats and anybody can repackage an older attack to help it bypass anti-virus protection. There seems to be a decent range of security coverage here, but the malware authors will likely continue to rework their files to infect as many PCs as possible.”

Sophos global head of security research James Lyne said that the news was further evidence of malicious code doing the rounds over the holiday season period, but warned ecommerce companies, like Amazon, that phishing attacks are now more sophisticated – and believable – than ever before.

“There are certain stereotypes about these kinds of spam messages but they aren't always true,” Lyne told “For example, scam messages don't always have bad English, poor copies of logos or really obviously dodgy links. Sometimes they look practically identical to legitimate messages."

Lyne continued by suggesting customers go directly to the vendor to confirm the status of their order, and said that they should ensure that their devices are fully patched, run up-to-date software and have endpoint security and web filtering to catch phishing web links.

Lyne said that holiday scams now range from fake parcel delivery notes and security issues with popular providers like Amazon to greeting cards from friends and family. 

“At this time of year people are far more likely to click without thinking even without the seasonal focus from cyber criminals. Not to be a holiday scrooge but we all need to be a little more sceptical this Christmas.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews