Amazon iPhone order email has malware attached

Graham Cluley

Watch out folks – malware has been spammed out in an email claiming to come from Amazon.

The email, which has a subject line of “Your order confirmation for <email address>”, tries to trick you into thinking that your credit card has been used without authorisation to purchase goods on the Amazon website.

Amazon malware email

Part of the email reads:

EmailSign up to our newsletter
Security news, advice, and tips.

Thank you for shopping with us. You ordered “Apple Iphone 6, Silver, 16 GB (Unlocked)”.

We’ll send a confirmation when your items ship.


Your credit card has been successfully charged for the total amount.

Please find attached the billing confirmation receipt.

If you’re paying close attention you might notice that they call it an Iphone rather than an iPhone, and that a genuine email regarding an Amazon order would contain the postal address that you wanted your goods delivered to.

But the real giveaway that this email is up to no good should be that it comes complete with an attachment – specifically a Word document.

Word documentIn the example I was sent by reader Kirk McElhearn, the attachment was a Microsoft Word document called amazon_invoice_991773782.doc.

What the fraudsters are attempting to do is trick you into opening the attached file, which comes boobytrapped with a Trojan horse (you can see what various anti-virus products identify it as via this VirusTotal report – in the last 18 hours or so, many anti-virus products appear to have been updated to identify it).

If you open the Word document, your Windows computer will end up infected and compromised by the malware. And no, you’re not even going to have a 16GB iPhone delivered for all your trouble.

So, don’t see red when an email claims that your credit card has been charged for an item you never purchased. (Who would want a 16GB iPhone in this day and age anyway? Is that really enough space for all of your music, movies, apps and podcasts?)

Instead, look for clues that the email may not be legitimate. Unexpected attachments are one clue that mischief may be afoot, but also look for information (such as your snail mail address or full name) that would normally be included in the company’s emails.

Furthermore, be wary of clicking on links in unsolicited emails – as they might take you to a phishing page, or a website harbouring malware, rather than the real website. If in doubt, visit the website directly and log into your account to see if there are any unexpected orders or messages waiting for you.

In this particular case, the bogus email *does* link to the real Amazon website – the danger lies in clicking on the attached .DOC file – so don’t be fooled into thinking just because there are legitimate links in an email that the rest of the message can necessarily be trusted.

Hat-tip: Thanks to journalist and author Kirk McElhearn for bringing this malware campaign to my attention. Kirk is known to many in the Apple community as “The iTunes Guy”, and runs his own website where he discusses everything to do with the world of Apple (as well as some Shakespeare, Grateful Dead and Bob Dylan), and has a forum dedicated to solving people’s problems with iTunes.

You would think that running a forum helping people with iTunes problems would keep him busy enough, but you can also check him out on “The Committed”, a great Apple-related podcast which just celebrated its 100th episode.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.