Don’t get caught in a phishing scam this holiday season

It’s that time of year again: Work winds down, holiday decorations are pulled out of storage, and miscreants ramp up their targeting of email accounts in a quest to steal personal data.

Security writer Brian Krebs reports that scammers have been sending out emails that purport to be “order confirmation” notifications. In reality, these messages include links to malware that could infect your computer. Such phishing scams aren’t new, but they’re particularly successful during the holiday season, as online shoppers are snapping up deals and clicking every discount-related link they find.

Malicious emails with innocuous subject lines like “Order confirmation” usually contain a link to fraudulent website and attached files that can infect Windows PCs, according to security company Malcovery. Other deceptive subject lines include “Thank you for your order” and “Order status.”

The malware is a Trojan horse that ropes computers into the Asprox spam botnet, a shady network of infected machines that has been around since 2007. The botnet steals FTP, website, and email credentials from infected computers, and it can force the computer to scan other websites for vulnerabilities as an unconventional way of distributing malware.

Malrecovery

Fraudulent emails have claimed to be from companies like Home Depot, Target, Walmart, Best Buy, and Costco. If you receive one of these emails, don’t click any of the links or attachments. Instead, Krebs suggests visiting the supposed retailer’s site directly to search for an order number or shipping confirmation.

As holiday shopping season commences, be on the lookout for malicious activity—or you might wind up with a surprise gift you didn’t ask for. 

Photo via [email protected]/Flickr (CC BY-SA 2.0)

Selena Larson

Selena Larson

Selena Larson is a technology reporter based in San Francisco who writes about the intersection of technology and culture. Her work explores new technologies and the way they impact industries, human behavior, and security and privacy. Since leaving the Daily Dot, she's reported for CNN Money and done technical writing for cybersecurity firm Dragos.