Be Wary of ‘Order Confirmation’ Emails

If you receive an email this holiday season asking you to “confirm” an online e-commerce order or package shipment, please resist the urge to click the included link or attachment: Malware purveyors and spammers are blasting these missives by the millions each day in a bid to trick people into giving up control over their computers and identities.

asprox-homedepot-example-600x273

(Above: An “order confirmation” malware email blasted out by the Asprox spam botnet recently.)

Seasonal scams like these are a perennial scourge of the holidays, mainly because the methods they employ are reliably successful. Crooks understand that it’s easier to catch would-be victims off-guard during the holidays. This goes even for people who generally know better than to click on links and attachments in emails that spoof trusted brands and retailers, because this is a time of year when many people are intensely focused on making sure their online orders arrive before Dec. 25.

asprox-walmart-example-600x308

(Above: This Asprox malware email poses as a notice about a wayward package from a WalMart order.)

According to Malcovery, a company that closely tracks email-based malware attacks, these phony “order confirmation” spam campaigns began around Thanksgiving, and use both booby-trapped links and attached files in a bid to infect recipients’ Windows PCs with the malware that powers the Asprox spam botnet.

Asprox is a nasty Trojan that harvests email credentials and other passwords from infected machines, turns the host into a zombie for relaying junk email (such as the pharmaceutical spam detailed in my new book Spam Nation), and perpetuates additional Asprox malware attacks. Asprox also deploys a scanning module that forces hacked PCs to scan websites for vulnerabilities that can be used to hack the sites and foist malware on visitors to that site. For an exhaustive and fairly recent analysis of Asprox, see this writeup (PDF) from Trend Micro.

asprox-target-example-600x373

(Above: Target is among the many brands being spoofed by Asprox this holiday season.)

Malcovery notes that the Asprox spam emails use a variety of subject lines, including “Acknowledgment of Order,” “Order Confirmation,” “Order Status,” “Thank you for buying from [insert merchant name here]”, and a “Thank you for your order.”

If you receive an email from a recognized brand that references an issue with an online or in-store order and you think it might be legitimate, do not click the embedded links or attachment. Instead, open up a Web browser and visit the merchant site in question. Generally speaking, legitimate communications about order issues will reference an order number and/or some other data points specific to the transaction — information that can be used to look up the order status at the merchant’s Web site. I know I’m probably preaching to the choir for the loyal readers of this site, but I’m sure most of you have friends and relatives who could use a reminder about all of this. Please feel free to forward them a link to this story.

malcovery-costco-example-600x300

(Above: Image: Malcovery)

(Reprinted with permission from KrebsOnSecurity.com)

Tips for a Safe, Secure Online Shopping Experience

Even though the holiday season can be quite busy, it’s never too busy to ensure that your personal information is safe when shopping online.

The total financial loss attributed to identity theft in 2013 is estimated to be $21 billion. As a consumer, you should be on high alert this holiday season, and any time you choose to make purchases online, to avoid falling victim to identity theft and to protect your sensitive financial information.

Find helpful tips below from our partner, Independent Community Bankers of America® (ICBA), and from Premier Bank, that you should consider if you are planning to make any of your holiday purchases online in the coming weeks.

  • Tip #1 – Secure your computer and browser by setting your firewall, anti-virus and anti-spyware software to automatically update and scan your computer.
  • Tip #2 – When creating online passwords, use one that is unique that only you know.
  • Tip #3 – Don’t give Social Security or driver’s license numbers, over the phone, through the mail or on the Internet unless you know exactly whom you’re dealing with.
  • Tip #4 – If you receive an email asking for personal information, do not hit the reply button or click on any links. Go to the sender’s website to investigate further.
  • Tip #5 – Look for secure sites with an “s” in the URL (https://) and a close-padlock icon on the Web page when making purchases. These websites are secure.
  • Tip #6 – Double-check URLs to be sure you are shopping with the company you intended. A simple typo can help identity thieves.

At Premier Bank, our customers’ safety and financial security is our top priority. If you have questions about the security of your financial information, our team at Premier is more than happy to discuss any problems or concerns you might have. Happy Holidays!

Ebola Phishing Scams and Malware Campaigns

From The Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) website:

“US-CERT reminds users to protect against email scams and cyber campaigns using the Ebola virus disease (EVD) as a theme. Phishing emails may contain links that direct users to websites which collect personal information such as login credentials, or contain malicious attachments that can infect a system.”

Read more on the US-CERT website, including preventive measures you can use.