Beware! Hackers Using New Amazon Gift Card Scam to Infect Devices with Banking Malware

With movement restrictions and lockdowns due to the COVID-19 pandemic, millions of people have preferred to shop online during the holiday season. Cybercriminals, however, are taking advantage of that situation with scams and malware targeting online shoppers. Among those, an Amazon gift card scam has attracted the attention of cybersecurity researchers as it could not only cost you money but also make your device vulnerable to hacking.

Discovered by cybersecurity research firm Cybereason, the scam is targeted to people in Europe and the US. As many people are staying home, gift cards have become a popular tool to present to loved ones during Christmas. However, one such “too good to be true offer” is designed to serve Dridex banking trojan.

“Both cybercriminals and nation-state threat actors alike find and exploit trending circumstances in order to leverage a given situation to infect unsuspecting victims, such as the holiday season, the ongoing COVID-19 pandemic, or both of them combined,” Daniel Frank, a cybersecurity researcher at Cybereason said in a blog post.

Cybercriminals are sending spoofed emails pretending to give out $100 Amazon gift card

Dridex Malware

The malware is delivered by phishing attacks through a spoofed email that reads, “We are delighted to enclose a $100 Amazon gift card as our way of saying Thank You.” The email also contains Amazon order date and number. However, the email comes with a malicious word document or screensaver file attached. After downloading the attachment, the users are redirected to Amazon’s legitimate webpage, “gaining more credibility with the victim.”

Once the user opens the document, it prompts to run a malicious macro. After enabling the macro, it shows a fake error message “Word experienced an error trying to open the file”. But in reality, a Windows PowerShell script runs in the background to serve the Dridex malware.

Phishing email
The phishing email contains a word file to serve Dridex malware that can steal banking credentials

Apart from spoofed emails, hackers are also using a second delivery method involving screensaver files (with .scr extension). Using SCR to infect devices has gained popularity amongst hackers as it…