Dec 10 2014

Holiday Order-Confirmation Emails Might Be a Malware Trap

During the holidays, what appears to be a valid message may actually be the electronic equivalent of a lump of coal.

With the appetite for e-commerce holiday shopping on the rise, emails from online stores confirming your orders will make recurring appearances in many inboxes this December. But consumers should know that email is still the Wild West when it comes to threats from spammers and hackers. (Have you received an invitation to do international business with a Nigerian prince lately?)

As consumers and retailers get swept up in the holiday madness, it’s important for both sides to keep an eagle eye out for suspicious behavior online in all areas, including order-confirmation emails.

In a recent blog post, security blogger Brian Krebs, whose blog Krebs on Security was named one of BizTech’s 2014 Must-Read IT Blogs, highlighted the nefarious schemes that malware proprietors are hatching to snatch valuable customer information this holiday season. His post highlights some of the nasty “presents” awaiting users who inadvertently click on the bad links in these counterfeit order-confirmation emails from major retailers such as Target, Wal-Mart and Costco.

Here’s Krebs’ advice to users who receive order-confirmation emails:

If you receive an email from a recognized brand that references an issue with an online or in-store order and you think it might be legitimate, do not click the embedded links or attachment. Instead, open up a Web browser and visit the merchant site in question. Generally speaking, legitimate communications about order issues will reference an order number and/or some other data points specific to the transaction — information that can be used to look up the order status at the merchant’s Web site.

These scams feed the Asprox spam botnet, which hijacks and infects machines and spreads malware into more networks through junk email, unbeknownst to the user, Krebs writes.

On the consumer side, it’s important to be cautious about opening these kinds of emails, especially if you didn’t actually order anything from the store sending you a so-called order-confirmation email. (Sorry, Santa Claus isn’t that nice!) For retailers, it’s important to warn customers about these scams as soon you catch wind of them. The last thing you want is a mob of furious customers blaming your business for the naughtiness of a gang of malware grinches.