Fake Amazon "Your Confirmation" Phishing Emails Hide Canadian Pharmacy Spam

A spate of fake “Amazon.com – Your Confirmation” emails is making the rounds – they are phishing emails, with the supposed ‘Amazon’ links actually being hidden links going to such interesting places as http://drevmash.alfaspace.net/admiral.html, gofiberzone[dot]com/upper.html, and meeknew.com. The subject (which so far appears to use the same “confirmation” number for everyone), is “Amazon.com – Your Confirmation (0113-567494-3518071)” and supposedly comes from the email address order-update@amazon.com. In reality, they are coming from IP address 124.217.216.112, and the emails are sent from (almost certainly spoofed) email addresses such as claude.simpson@ameritrade.com and lwjtvbwrqksz@young-world.com.

Here is a sample of what the average user sees when they see this email (keep reading below to see what is hidden in the email):

Amazon.com – Your Confirmation (0113-567494-3518071)
From: order-update@amazon.com

Dear Customer,

Your order has been successfully confirmed. For your reference, here`s a summary of your order:

You just confirmed order #4003-218223-828816

Status: CONFIRMED

_____________________________________________________________________

ORDER INFORMATION
Sold by: Amazon.com, LLC

No Paywall Here! The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?
Click for amount options
Other Amount:

_____________________________________________________________________

Because you only pay for items when we ship them to you, you won`t be charged for any items that you cancel.

Thank you for visiting Amazon.com!

———————————————————————
Amazon.com
Earth`s Biggest Selection
http://www.amazon.com
———————————————————————

But look what where the “ORDER INFORMATION” link actually goes (here are two samples, with two different “payload” links to masked URLs):

(Article continues below)

Get notified of new Internet Patrol articles for free!

Or Read Internet Patrol Articles Right in Your Inbox!
as Soon as They are Published! Only $1 a Month!
Imagine being able to read full articles right in your email, or on your phone, without ever having to click through to the website unless you want to! Just $1 a month and you can cancel at any time!

Do you see the actual links that are masked as a link to your order information? In these samples, they go to:

drevmash.alfaspace[dot]net/admiral.html

and

gofiberzone[dot]com/upper.html

Both of which then redirect to this site:

meeknew[dot]com

Meeknew[dot]com then, is the actual ultimate destination of these links and, not surprisingly, is registered in China, and hosted by nameservers in Russia. And Alfaspace.net is privately registered in the Grand Cayman Islands. Also not surprising.

Nor is it surprising that the ultimate destination at Meeknew[dot]com looks like this:

What is, perhaps, surprising is that GoFiberZone.com is not only not privately registered, but is openly registered to Benard Blasingame, in Tennessee, with full contact information available. Plus, the site has been registered since 2007, suggesting that perhaps Mr. Blasingame’s system has been co-opted by someone else for nefarious purposes, without Mr. Blasingame’s knowledge (so someone please let him know, ok?)

Registrant:
Benard Blasingame
P.O. Box 1304
Collierville, Tennessee 38027
United States

Registered through: Domains Priced Right
Domain Name: GOFIBERZONE.COM
Created on: 20-Sep-07
Expires on: 20-Sep-12
Last Updated on: 20-Sep-09

Administrative Contact:
Blassingame, Benard webmaster@onlinesuites.com
P.O. Box 1304
Collierville, Tennessee 38027
United States
(901) 854-4483 Fax —

Technical Contact:
Blassingame, Benard webmaster@onlinesuites.com
P.O. Box 1304
Collierville, Tennessee 38027
United States
(901) 854-4483 Fax —

Domain servers in listed order:
NS1.ONLINESUITES.COM
NS2.ONLINESUITES.COM

Share this Article by Text Message!

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free? Thank you!

Get notified of new Internet Patrol articles!

People also searched for what does amazon confirmation number, i keep getting e-mails from amazon saying my order will be shipped soon, i am getting a call saying that an order for 799 00 has been placed on my amazon account, email from amazon@orderconfirmation com, confirmed amazon appoinment then they canceled, are there false e-mails supposedly from Amazon going around, amazon redbubble order scam, amazon redbubble fishing emails, amazon pay redbubble scam email, your confirmation number is bbr4559911181-24902-5286 amazon

Dan on How to (Essentially) Disable Google AMP in Google SearchThis has changed in iOS. Now, "Request desktop site" is under the drop-down menu when you touch "aA" to the left of the search bar.
Gloria Bisaccia on Internet “Traveling Cloud Museum” Shines Light on the Hart Island DeadIs it possible to find out if my brother who was stillborn in November 1945 was buried at Hart Island?
Don C on UberPET for Uber Pets is a Real Thing Not a Parody – Available Now in These Cities!Uber does not supply ALL drivers with the uberPets Kit. Only drivers in certain cities get them. I'm an Uber driver in Orlando and I have the option to except uberPets, but they said that the uberPets kits are not available in Orlando. This will cause less drivers to opt...
Jason Smith on Complete List of Gift Cards Available on AmazonYou left Staples off the list. Also, if possible, can you format the 2nd column so that the whole name of the gift card is on 1 line. It makes it difficult to read the way it is right now. Thank you.
Garret on Amazon Echo Dot Setup and How to Use the Echo Dot as an Extension of Your EchoThe answer lies not in the device. Us being the device is whom is owed the real communication.
Tina on How to Resign, Delete, or Otherwise End a Game Early in ‘Words with Friends’Same here! I have narrowed down these guy players by their names. If they have names that could be either 2 first names or 2 last names I.e. Connor Michael DONT accept. All they want to do is chat ant tell you to contact them thru Watsup!!! Then they disappear...
Tina on How to Resign, Delete, or Otherwise End a Game Early in ‘Words with Friends’That just happened to me!! I was playing a guy named Joe. Just Joe. No other info. I was beating him by almost 200 pts and when we got down to only 5 letters left he vanished!!!

Fake Amazon “Your Confirmation” Phishing Emails Hide Canadian Pharmacy Spam

Related articles:

Published by The Internet Patrol

Leave a Reply Cancel reply