With the December holiday-shopping season revving into full gear, the world's thieves, fraudsters and malware writers have been doing the same thing. If you have any web-based email accounts, chances are you've been noticing a recent uptick in the number of “order confirmation” messages landing in your inbox – and chances are they're all fraudulent, trying to trick you into loading dangerously nasty malware onto your computer.
Security blogger Brian Krebs went into some detail explaining the technical aspects of the latest batch of emails: those realistic-looking messages, allegedly from Walmart, Home Depot, Costco or similar retailers, will load a spam botnet called Asprox, which Krebs said is “a nasty Trojan that harvests email credentials and other passwords from infected machines, turns the host into a zombie for relaying junk email (such as the pharmaceutical spam detailed in my new book Spam Nation), and perpetuates additional Asprox malware attacks.”
But from a non-technical perspective, all you really need to do is notice that the emails, though professional-looking, are also addressed generically rather than specifically. Almost all dangerous malware or phishing emails do that.
Could apply to anyone
Consider, for example, the fake jury duty or court-appearance notice. If you get such a message, it's always vague enough that it could apply to anybody: “You must appear in court for jury duty.” “You are being sued for lots of money in court.”
Compare that to what a real jury duty or court appearance notice looks like: “Morton Finkleblatt of 37 West Street is ordered to appear in Federal District Court, 1500 Courthouse Plaza.”
Of course, if you actually get a notice it won't look like that, because your name isn't Morton Finkleblatt and you probably don't live at 37 West Street, either. Even if you do, those listed addresses are supposed to mention a city and state, too – specifically, the state where you personally live, and the city hosting the courthouse nearest you. Finally, an actual jury duty or court-appearance notice will come to you printed on paper, arriving in your old-fashioned mailbox.
Of course, that last bit isn't necessarily the case when you buy something from an online retailer: if the seller contacts you, it'll likely be via email rather than snail-mail. But those genuine, non-scammy emails will still include your specific identifying information — real messages from Amazon don't say “Your order has shipped,” they say “Wile E. Coyote, your order of ACME rocket-powered roller skates has shipped.”
The same holds true for Walmart, Home Depot, Target, Costco, and pretty much every legitimate online retailer out there: they might send you emails if you're a customer of theirs, but those emails are addressed specifically to you. And when you get real order-tracking emails or other information about a purchase you actually made, you're not asked to do anything as a result, certainly not asked to click on a link in the email or download some virus-ridden file attachment.