Posted on by

Fake Amazon “Your Confirmation” Phishing Emails Hide Canadian Pharmacy Spam

If you find this useful please share it!

Share This Article by Text Message!


 

A spate of fake “Amazon.com – Your Confirmation” emails is making the rounds – they are phishing emails, with the supposed ‘Amazon’ links actually being hidden links going to such interesting places as http://drevmash.alfaspace.net/admiral.html, gofiberzone[dot]com/upper.html, and meeknew.com. The subject (which so far appears to use the same “confirmation” number for everyone), is “Amazon.com – Your Confirmation (0113-567494-3518071)” and supposedly comes from the email address order-update@amazon.com. In reality, they are coming from IP address 124.217.216.112, and the emails are sent from (almost certainly spoofed) email addresses such as claude.simpson@ameritrade.com and lwjtvbwrqksz@young-world.com.

Here is a sample of what the average user sees when they see this email (keep reading below to see what is hidden in the email):

Amazon.com – Your Confirmation (0113-567494-3518071)
From: order-update@amazon.com


 

Dear Customer,

Your order has been successfully confirmed. For your reference, here`s a summary of your order:

You just confirmed order #4003-218223-828816


 

Status: CONFIRMED

_____________________________________________________________________

ORDER INFORMATION
Sold by: Amazon.com, LLC

_____________________________________________________________________

Because you only pay for items when we ship them to you, you won`t be charged for any items that you cancel.

Thank you for visiting Amazon.com!

———————————————————————
Amazon.com
Earth`s Biggest Selection
http://www.amazon.com
———————————————————————

But look what where the “ORDER INFORMATION” link actually goes (here are two samples, with two different “payload” links to masked URLs):

 

amazon-phish-spam-alfaspace.net

(Article continues below)
Get notified of new Internet Patrol articles for free!
Or Read Internet Patrol Articles Right in Your Inbox!
as Soon as They are Published! Only $1 a Month!
Imagine being able to read full articles right in your email, or on your phone, without ever having to click through to the website unless you want to! Just $1 a month and you can cancel at any time!
Fake Amazon “Your Confirmation” Phishing Emails Hide Canadian Pharmacy Spam

 

amazon-spam-phishing-gofiberzone.com

 

Do you see the actual links that are masked as a link to your order information? In these samples, they go to:

drevmash.alfaspace[dot]net/admiral.html

and

gofiberzone[dot]com/upper.html

Both of which then redirect to this site:

meeknew[dot]com

Meeknew[dot]com then, is the actual ultimate destination of these links and, not surprisingly, is registered in China, and hosted by nameservers in Russia. And Alfaspace.net is privately registered in the Grand Cayman Islands. Also not surprising.

Nor is it surprising that the ultimate destination at Meeknew[dot]com looks like this:

meeknew

What is, perhaps, surprising is that GoFiberZone.com is not only not privately registered, but is openly registered to Benard Blasingame, in Tennessee, with full contact information available. Plus, the site has been registered since 2007, suggesting that perhaps Mr. Blasingame’s system has been co-opted by someone else for nefarious purposes, without Mr. Blasingame’s knowledge (so someone please let him know, ok?)

Registrant:
Benard Blasingame
P.O. Box 1304
Collierville, Tennessee 38027
United States

Registered through: Domains Priced Right
Domain Name: GOFIBERZONE.COM
Created on: 20-Sep-07
Expires on: 20-Sep-12
Last Updated on: 20-Sep-09

Administrative Contact:
Blassingame, Benard webmaster@onlinesuites.com
P.O. Box 1304
Collierville, Tennessee 38027
United States
(901) 854-4483 Fax —

Technical Contact:
Blassingame, Benard webmaster@onlinesuites.com
P.O. Box 1304
Collierville, Tennessee 38027
United States
(901) 854-4483 Fax —

Domain servers in listed order:
NS1.ONLINESUITES.COM
NS2.ONLINESUITES.COM

Share this Article by Text Message!

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free? Thank you!

Fake Amazon “Your Confirmation” Phishing Emails Hide Canadian Pharmacy Spam

Get notified of new Internet Patrol articles!
People also searched for your confirmation number is bbr4559911181-24902-5286 amazon, why do i keep getting emails from amazon in, what email address does amazon confirmation come from, text saying amazon order has been placed, email from amazon@orderconfirmation com, confirmed amazon appoinment then they canceled, amazon redbubble order scam, amazon redbubble fishing emails, amazon pay redbubble scam email, amazon confirmation number

If you find this useful please share it!

Published by The Internet Patrol

The Internet Patrol is published by ISIPP Publishing. Anne P. Mitchell, attorney at law, is the editor of the Internet Patrol, and the CEO of ISIPP Publishing. Anne was one of the first Internet Law and Policy attorneys, and a Professor of Internet Law and Policy. She is also a legislative consultant, and wrote part of our Federal anti-spam law.

Leave a Reply

Your email address will not be published. Required fields are marked *