Fake Amazon “Your Confirmation” Phishing Emails Hide Canadian Pharmacy Spam

   6/27/2019 |  3/3/2010 |  Leave a comment
no spam stop spam

 

A spate of fake “Amazon.com – Your Confirmation” emails is making the rounds – they are phishing emails, with the supposed ‘Amazon’ links actually being hidden links going to such interesting places as http://drevmash.alfaspace.net/admiral.html, gofiberzone[dot]com/upper.html, and meeknew.com. The subject (which so far appears to use the same “confirmation” number for everyone), is “Amazon.com – Your Confirmation (0113-567494-3518071)” and supposedly comes from the email address order-update@amazon.com. In reality, they are coming from IP address 124.217.216.112, and the emails are sent from (almost certainly spoofed) email addresses such as claude.simpson@ameritrade.com and lwjtvbwrqksz@young-world.com.

Here is a sample of what the average user sees when they see this email (keep reading below to see what is hidden in the email):

Amazon.com – Your Confirmation (0113-567494-3518071)
From: order-update@amazon.com


Dear Customer,

Your order has been successfully confirmed. For your reference, here`s a summary of your order:

You just confirmed order #4003-218223-828816

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?
Click for amount options
Other Amount:
What info did you find here today?:
Get notified of new Internet Patrol articles for free!

Status: CONFIRMED

_____________________________________________________________________

ORDER INFORMATION
Sold by: Amazon.com, LLC

 

_____________________________________________________________________

Because you only pay for items when we ship them to you, you won`t be charged for any items that you cancel.

Thank you for visiting Amazon.com!

———————————————————————
Amazon.com
Earth`s Biggest Selection
http://www.amazon.com
———————————————————————

But look what where the “ORDER INFORMATION” link actually goes (here are two samples, with two different “payload” links to masked URLs):

 

amazon-phish-spam-alfaspace.net

 

amazon-spam-phishing-gofiberzone.com

 

Do you see the actual links that are masked as a link to your order information? In these samples, they go to:

drevmash.alfaspace[dot]net/admiral.html

and

gofiberzone[dot]com/upper.html

Both of which then redirect to this site:

meeknew[dot]com

Meeknew[dot]com then, is the actual ultimate destination of these links and, not surprisingly, is registered in China, and hosted by nameservers in Russia. And Alfaspace.net is privately registered in the Grand Cayman Islands. Also not surprising.

Nor is it surprising that the ultimate destination at Meeknew[dot]com looks like this:

meeknew

What is, perhaps, surprising is that GoFiberZone.com is not only not privately registered, but is openly registered to Benard Blasingame, in Tennessee, with full contact information available. Plus, the site has been registered since 2007, suggesting that perhaps Mr. Blasingame’s system has been co-opted by someone else for nefarious purposes, without Mr. Blasingame’s knowledge (so someone please let him know, ok?)

Registrant:
Benard Blasingame
P.O. Box 1304
Collierville, Tennessee 38027
United States

Registered through: Domains Priced Right
Domain Name: GOFIBERZONE.COM
Created on: 20-Sep-07
Expires on: 20-Sep-12
Last Updated on: 20-Sep-09

Administrative Contact:
Blassingame, Benard webmaster@onlinesuites.com
P.O. Box 1304
Collierville, Tennessee 38027
United States
(901) 854-4483 Fax —

Technical Contact:
Blassingame, Benard webmaster@onlinesuites.com
P.O. Box 1304
Collierville, Tennessee 38027
United States
(901) 854-4483 Fax —

Domain servers in listed order:
NS1.ONLINESUITES.COM
NS2.ONLINESUITES.COM

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?
Click for amount options
Other Amount:
What info did you find here today?:

People also searched for amazon confirmation number, what does amazon confirmation number, is there spam emails from amazon going around, ikust got a confirmation from amazon and indidnt order anything, i keep getting e-mails from amazon saying my order will be shipped soon, i am getting a call saying that an order for 799 00 has been placed on my amazon account, fishing from amazon confirmation, are there false e-mails supposedly from Amazon going around, amazon redbubble order scam, what email address does amazon confirmation come from
Follow Anne
Latest posts by Author: Anne P. Mitchell (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *