14 DAY TRIAL // Did you order a Sprint HTC Evo Android cell phone, or any other similar gadget from Amazon.com? If not, then you’re being targeted by the latest malware-spreading campaign that comes as an email allegedly sent by Amazon to confirm that the device is already paid for with your credit card.
“We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com,” reads part of the email.
Users who may be tempted to click on the links contained in the message are taken to a website that serves a piece of malware which relies on unpatched Windows vulnerabilities to drop its payload.
The malware in question is a variant of Cridex, especially designed to steal personal and financial information from the computer it lands on, reports Hoax Slayer.
Win32/Cridex is usually delivered via spammed malware such as variants of Exploit:JS/Blacole and it’s programmed to spread to removable drives. Besides banking credentials, it also targets local certificates and it's able to execute files, fact which makes it even more dangerous.
Once executed, the malicious element drops a copy of the worm as a randomly named file and modifies the registry to make sure it’s executed each time the operating system boots.
After the dropper is deleted, Cridex injects itself into every running process, even ones that are later created.
Users are advised to immediately delete these emails and avoid clicking on the links contained in them. An up-to-date security solution will in most cases detect the piece of malware, so it’s always recommended to rely on at least basic protection software and a lot of common sense.