A spate of fake “Amazon.com – Your Confirmation” emails is making the rounds – they are phishing emails, with the supposed ‘Amazon’ links actually being hidden links going to such interesting places as http://drevmash.alfaspace.net/admiral.html, gofiberzone[dot]com/upper.html, and meeknew.com. The subject (which so far appears to use the same “confirmation” number for everyone), is “Amazon.com – Your Confirmation (0113-567494-3518071)” and supposedly comes from the email address order-update@amazon.com. In reality, they are coming from IP address 124.217.216.112, and the emails are sent from (almost certainly spoofed) email addresses such as claude.simpson@ameritrade.com and lwjtvbwrqksz@young-world.com.
Here is a sample of what the average user sees when they see this email (keep reading below to see what is hidden in the email):
Amazon.com – Your Confirmation (0113-567494-3518071)
From: order-update@amazon.comDear Customer,
Your order has been successfully confirmed. For your reference, here`s a summary of your order:
The Internet Patrol is completely free, and we don't subject you to ads or annoying video pop-ups. But it does cost us out of our pocket to keep the site going (going on 20 years now!) So your tips via CashApp, Venmo, or Paypal are VERY appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
You just confirmed order #4003-218223-828816
Status: CONFIRMED
_____________________________________________________________________
ORDER INFORMATION
Sold by: Amazon.com, LLC_____________________________________________________________________
Because you only pay for items when we ship them to you, you won`t be charged for any items that you cancel.
Thank you for visiting Amazon.com!
———————————————————————
Amazon.com
Earth`s Biggest Selection
http://www.amazon.com
———————————————————————
But look what where the “ORDER INFORMATION” link actually goes (here are two samples, with two different “payload” links to masked URLs):
Do you see the actual links that are masked as a link to your order information? In these samples, they go to:
drevmash.alfaspace[dot]net/admiral.html
and
gofiberzone[dot]com/upper.html
Both of which then redirect to this site:
meeknew[dot]com
Meeknew[dot]com then, is the actual ultimate destination of these links and, not surprisingly, is registered in China, and hosted by nameservers in Russia. And Alfaspace.net is privately registered in the Grand Cayman Islands. Also not surprising.
Nor is it surprising that the ultimate destination at Meeknew[dot]com looks like this:
What is, perhaps, surprising is that GoFiberZone.com is not only not privately registered, but is openly registered to Benard Blasingame, in Tennessee, with full contact information available. Plus, the site has been registered since 2007, suggesting that perhaps Mr. Blasingame’s system has been co-opted by someone else for nefarious purposes, without Mr. Blasingame’s knowledge (so someone please let him know, ok?)
Registrant:
Benard Blasingame
P.O. Box 1304
Collierville, Tennessee 38027
United States
Registered through: Domains Priced Right
Domain Name: GOFIBERZONE.COM
Created on: 20-Sep-07
Expires on: 20-Sep-12
Last Updated on: 20-Sep-09
Administrative Contact:
Blassingame, Benard webmaster@onlinesuites.com
P.O. Box 1304
Collierville, Tennessee 38027
United States
(901) 854-4483 Fax —
Technical Contact:
Blassingame, Benard webmaster@onlinesuites.com
P.O. Box 1304
Collierville, Tennessee 38027
United States
(901) 854-4483 Fax —
Domain servers in listed order:
NS1.ONLINESUITES.COM
NS2.ONLINESUITES.COM
The Internet Patrol is completely free, and we don't subject you to ads or annoying video pop-ups. But it does cost us out of our pocket to keep the site going (going on 20 years now!) So your tips via CashApp, Venmo, or Paypal are appreciated!
Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
