Shoppers targeted by Amazon Gift Card scam spreading the Dridex Trojan

This Holiday season cybercriminals decided to deliver malware with the help of fake Amazon Gift Card scams

Fake emails about Amazon Gift Cards spread banking trojan around the US and Europe.

Amazon gift cards looking exactly like the ones you receive from Amazon deliver Dridex banking malware for the gullible people. They have the correct Amazon logos, order numbers, and so on, but researchers in Cybereason discovered^[1] that when clicked on (and the email urges customers to do so), unaware computer users get their machines infected with the Dridex banking trojan.

2020 has been a tough year and because most of us are still on lockdowns due to the pandemic and many physical shops are closed — online shopping is the easiest way to get presents for your loved ones. Cybercriminals realized that and tried to exploit it by conducting phishing campaigns, this time by sending fake $100 Amazon gift cards.

Amazon gift card scams^[2] are a reoccurring problem. In this instance, the main difference between a legitimate and a fake Amazon gift card is that the company would never ask you to download any file to redeem a gift certificate. A legitimate gift card receiving email contains a code that you enter on Amazon.com to add funds to your account.

Three attacking techniques are hidden in one phishing email

Cybercriminals sent out tens of thousands of phishing emails mainly to users in the USA and Western Europe. The subject of the email suggests that Amazon has sent a gift card. Once the email is opened, users are tricked into believing that one of the biggest companies in the world has sent them a free gift of $100. The whole message reads:

We are delighted to enclose a $100 Amazon gift card as our way of saying Thank You

Once an unaware user clicks on the fake gift card, one of the following three (in some cases all three) Dridex banking trojan delivery methods are used:

• A Word file is downloaded that urges the soon to be victims to enable macros. Once the “Enable Content” button is pressed, payload files of the malware are downloaded onto the device.
• Screensaver (SCR) files containing malicious scripts and that are able to evade email security are downloaded.
• A VBScript file^[3] that is embedded in the body of the email is executed as soon as the link is pressed.

Dridex banking trojan – highly persistent malware

The Dridex banking trojan isn't a newly created malware. It's been active since 2012.^[4] This malware targets computers only with Windows Operating System, and the main goal of it is to steal banking credentials.^[5]

Apart from its primary goal, this Trojan is capable of downloading additional malware, such as BitPaymer, DoppelPaymer ransomware, and other targeted ransomware. In March of 2020, the Dridex trojan even made the top ten malware list as the third most predominant malware.^[6]

The Dridex banking trojan is usually distributed through phishing emails. Computer users should always be cautious and attentive to what emails they are opening. Make sure the sender's domain matches the company domain, no grammatical or any other irregularities or inconsistencies are in the received email before clicking a link or downloading an attachment. And remember, legitimate companies will never push you to visit their sites or to downloaded unsolicited attachments.