• by Ray Schultz , December 28, 2020

Amazon gift cards may not be the gifts they seem for some consumers. Threat actors are sending fake cards to deliver the Dridex banking trojan, the Cybereason Nocturnus team revealed last week. 

The emails appear to be legitimate — they use icons and naming conventions to lure recipients into downloading malicious attachments, according to a blog post on the scam..

The vast majority of victims are from the U.S. and Western European countries, where Amazon is popular and has local websites, it says.

In technical terms, the criminals use three methods to infect the systems of the unsuspecting:

• Word document that contains a malicious macro 
• Self-extracting SCR file, a known technique used by Dridex 
• VBScript file attached to the email, another known technique used by Dridex.

One email uses the subject line, “Amazon.com sent you an Amazon Gift Card!”

The email states: “We are delighted to enclose $100 Amazon gift card as our way of saying Thank You."

In addition, the email contains a purported order number. 

Victims who fall for this are subjected to banking data exfiltration once they take in the Dridex payload, the report says.

“Consumers have long been a favored target for cybercriminals, and the sharply increased volume of online shopping spurred by the COVID-19 pandemic have made consumer-focused attacks potentially even more attractive,” the post observes.