Amazon iPhone order email has malware attached

Graham Cluley
Graham Cluley
@[email protected]

Watch out folks – malware has been spammed out in an email claiming to come from Amazon.

The email, which has a subject line of “Your order confirmation for <email address>”, tries to trick you into thinking that your credit card has been used without authorisation to purchase goods on the Amazon website.

Amazon malware email

Part of the email reads:

Sign up to our free newsletter.
Security news, advice, and tips.

Thank you for shopping with us. You ordered “Apple Iphone 6, Silver, 16 GB (Unlocked)”.

We’ll send a confirmation when your items ship.


Your credit card has been successfully charged for the total amount.

Please find attached the billing confirmation receipt.

If you’re paying close attention you might notice that they call it an Iphone rather than an iPhone, and that a genuine email regarding an Amazon order would contain the postal address that you wanted your goods delivered to.

But the real giveaway that this email is up to no good should be that it comes complete with an attachment – specifically a Word document.

Word documentIn the example I was sent by reader Kirk McElhearn, the attachment was a Microsoft Word document called amazon_invoice_991773782.doc.

What the fraudsters are attempting to do is trick you into opening the attached file, which comes boobytrapped with a Trojan horse (you can see what various anti-virus products identify it as via this VirusTotal report – in the last 18 hours or so, many anti-virus products appear to have been updated to identify it).

If you open the Word document, your Windows computer will end up infected and compromised by the malware. And no, you’re not even going to have a 16GB iPhone delivered for all your trouble.

So, don’t see red when an email claims that your credit card has been charged for an item you never purchased. (Who would want a 16GB iPhone in this day and age anyway? Is that really enough space for all of your music, movies, apps and podcasts?)

Instead, look for clues that the email may not be legitimate. Unexpected attachments are one clue that mischief may be afoot, but also look for information (such as your snail mail address or full name) that would normally be included in the company’s emails.

Furthermore, be wary of clicking on links in unsolicited emails – as they might take you to a phishing page, or a website harbouring malware, rather than the real website. If in doubt, visit the website directly and log into your account to see if there are any unexpected orders or messages waiting for you.

In this particular case, the bogus email *does* link to the real Amazon website – the danger lies in clicking on the attached .DOC file – so don’t be fooled into thinking just because there are legitimate links in an email that the rest of the message can necessarily be trusted.

Hat-tip: Thanks to journalist and author Kirk McElhearn for bringing this malware campaign to my attention. Kirk is known to many in the Apple community as “The iTunes Guy”, and runs his own website where he discusses everything to do with the world of Apple (as well as some Shakespeare, Grateful Dead and Bob Dylan), and has a forum dedicated to solving people’s problems with iTunes.

You would think that running a forum helping people with iTunes problems would keep him busy enough, but you can also check him out on “The Committed”, a great Apple-related podcast which just celebrated its 100th episode.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.