Beware of fake invoice e-mails

May 9, 2009 08:58 GMT  ·  By

Security researchers warn of a new e-mail malware distribution campaign targeting WorldPay customers. The fake messages claim to be the confirmation of a successful Amazon transaction, with the attached invoice being actually a computer Trojan installer.

"Thank you! Your transaction has been processed by WorldPay, on behalf of Amazon Inc. The invoice file is attached to this message. This is not a tax receipt. We processed your payment. Amazon Inc has received your order, and will inform you about delivery," the malicious e-mails read, in an attempt to trick users into opening the accompanying .zip file.

"Of course, if you haven't bought anything on Amazon lately you might be all too tempted to click on the attached file (named WorldPay_CONFR.zip). Which would be a mistake, of course, because it contains a copy of the Troj/Agent-JUC Trojan horse," advises Graham Cluley, senior technology consultant for antivirus vendor Sophos.

In an attempt to appear more believable, the fake e-mails bearing the subject of "WorldPay CARD transaction Confirmation," are pretty well spelled and written in a formal manner. For example, they attempt to clarify what might seem like obvious facts, as official e-mails generally do.

"This confirmation only indicates that your transaction has been processed successfully. It does not indicate that your order has been accepted. It is the responsibility of Amazon Inc to confirm that your order has been accepted, and to deliver any goods or services you have ordered," part of the message reads.

The authors of this campaign might have chosen WorldPay over other payment processors or card issuers, because the company has been in the news several times during the recent months. Back in December 2008, just before Christmas, WorldPay announced a serious data breach incident, during which unknown attackers accessed credit card transaction data.

It was later revealed that the cards compromised as a result of the intrusion were used by cyber-criminals as part of one of the most complex credit card fraud operations in history, earning them an estimated $9 million.

Also because of the breach, Visa has removed WorldPay from its list of processors compliant with the Payment Card Industry's Data Security Standard (PCI DSS), which is a requirement for all companies handling transaction data. However, despite temporarily lacking this important certification, the company has recently won a four-year government contract with the IRS, to process tax-return payments beginning 2010.