Menu
Share
Share this story
Close X
 
Switch to Desktop Site

Be cautious of the 'order confirmation' email. It could be a malware attack

(Read article summary)
View video

AP Photo/David Becker/File

(Read caption) Joe Abbey, Arxan Technologies' director of software engineering, displays on his computer how he hacked into a phone app during a demonstration at the Black Hat USA 2014 cyber security conference, in Las Vegas. Experts say systems grow more susceptible to attack with more user-friendly websites and apps.

View photo

You've no doubt been doing a bit of online shopping in preparation for the holidays, so getting an order confirmation email from a store like Target, Home Depot, Walmart or Costco most likely wont set off any alarm bells for you.  After all, you probably think you know how to spot an email scam from a mile away: there are the misspelled appeals for cash, the promises of future riches and, of course, the desperate signatures of unjustly usurped Nigerian princes. But those seemingly innocent order confirmations may be just as sinister as the grammatically incorrect ramblings of your Nigerian pen-pal.

As noted in a recent post on Krebs on Security, phishing scams, where cyber-criminals craft fake but authentic-looking emails from trusted companies in order to steal your personal information, are becoming increasingly common--especially during the holiday season. Here's how it works: You get an email with the subject line "Thank you for shopping at Target!" You click on it, and the body of the email looks something like this:  http://www.bradsdeals.com/blog/beware-that-order-confirmation-email-could-be-a-malware-attack

About these ads

This probably strikes you as a little odd-- maybe you don't remember buying anything from Target, or maybe you did order something, but didn't opt for in-store pickup. Either way, you're gonna be tempted to click on that link to get to the bottom of this, and if you do, you'll be playing right into the hands of the scammers. See, that link won't lead you to Target.com. Instead, you'll be redirected to a foreign site that will automatically download a .ZIP file filled with malware designed to hack your computer and steal things like your credit card numbers, your banking information, and your sensitive personal data. Sometimes this malware will be disguised as an attachment which the email text will implore you to open, but no matter how it's presented, you should NEVER click on it!

Luckily, it's easy to spot a phishing scam once you know what to look for.

If you're a frequent online shopper, you'll know that you usually receive an order confirmation immediately after you make a purchase online. If you're getting emails with subject lines like "Order Confirmation" "Acknowledgment of Order" "Order Status" or "Thank You for Your Order" and you haven't bought something within the last 15 minutes, it's safe to say they're not legit. Also, look out for misspellings, poor grammar and weird send-offs. For example, the above email is riddled with red flags, like: "You may pick it in any store of Target.com closest to you within four days." It is highly improbable that a company like Target would ever include such a glaringly incorrect sentence in what is supposedly an auto-confirmation email. Scammers often purposely include typos, as people who don't notice them are more likely to fall for their tricks. If you get an email that looks like it's from a store you DID recently order from, make sure you double check the address of the sender.

If you get an email from Target but the sender's address is no-reply@youngblood.net, it's a scam. Also, take care to hover over all the links in the body of the email. If they seem to be directing you somewhere other than the official store website, don't risk it. Most retailers let you check your order status and history on their store pages, so go there first if you get a fishy (or phishy) looking email. Finally, phishing scams don't only happen during the holidays. Here are a few things to look out for if you want to stay safe from scammers year-round:

  1. Password reset requests from Facebook, Twitter, Tumbler and other social networks -- Facebook says it clearly in its security policy: "Facebook will never request your password over email, and we advise against providing your login information to anyone under any circumstances." Don't fall for this!
  2. "Urgent" messages from banks, health insurance companies or government agencies asking you to provide personal information -- IT'S A TRAP! Sophisticated hackers often use this trick, and link to a form for you to fill out on website that looks just like your bank's. But entering your info here will almost certainly result in identify theft down the road.
  3. Messages from contests or lotteries you've never heard of -- Sadly, you can't win a contest you didn't enter. Mark these million-dollar emails as junk and don't look back. 

Follow Stories Like This
Get the Monitor stories you care about delivered to your inbox.