{"id":1674,"date":"2010-03-07T15:01:58","date_gmt":"2010-03-07T14:01:58","guid":{"rendered":"http:\/\/www.craigmurphy.com\/blog\/?p=1674"},"modified":"2010-03-07T15:01:58","modified_gmt":"2010-03-07T14:01:58","slug":"fake-amazon-com-your-cancellation-e-mail","status":"publish","type":"post","link":"http:\/\/www.craigmurphy.com\/blog\/?p=1674","title":{"rendered":"Fake “Amazon.com – Your Cancellation” e-mail"},"content":{"rendered":"

I received an item of e-mail reporting to be an Amazon order cancellation. It looked fairly authentic: to the untrained eye with some curiosity, you may be fooled into clicking on the ORDER DETAILS link. If you are in the UK, one of the key clues is the fact that this e-mail is reporting itself as originating from amazon.com<\/strong> – in the UK we would expect such e-mail to come from amazon.co.uk<\/strong>. The same could be said for other non-.com editions of the Amazon site.<\/p>\n

Closer inspection reveals that the ORDER DETAILS link doesn’t goto an Amazon web-page, but to a completely different site…in this case you’ll be taken to a site that offers you tablets for helping make something bigger! However, there’s nothing to tell you how dangerous the destination site is…a single click can cause a lot of damage.<\/p>\n

I use MailWasher Pro<\/a> as my client-side anti-spam filtering tool, it’s kind enough to expand links in e-mails such that the true destination is revealed, as the screenshot below demonstrates:<\/p>\n

<\/p>\n

The learning experience behind this blog post is that you should never trust links on face value. Always hover the mouse over the link and see where it ultimately leads to: if it’s not going where you expect it to be going, resist the temptation to “just click on it”! If hovering the mouse over the link doesn’t help you, see if you can find the message source (In Outlook right clicking on an e-mail, choosing Message Options lets you look at the “Internet Headers” and the raw message).<\/p>\n

—<\/p>\n

FYI, here’s the full body of the original e-mail.<\/p>\n

Received: ... from forum.mbfpro.biz ([94.23.20.147])
\n by twx8...com with smtp (Exim 4.69)
\n (envelope-from )
\n id 1No5Qd-0001Xk-S3
\n for ...; Sun, 07 Mar 2010 01:37:14 +0000
\nDate: Sat, 6 Mar 2010 23:59:45 +0400 (UTC)
\nFrom: \"order-update@amazon.com\"
\nTo:
\nMessage-ID: <151840.7152476933828043636.JavaMail.correios@na-mm-relay.amazon.com>
\nSubject: Amazon.com - Your Cancellation (0713-48571-25595)
\nMIME-Version: 1.0
\nContent-Type: text\/html; charset=UTF-8
\nContent-Transfer-Encoding: 7bit
\nX-AMAZON-CLIENT-HOST: online-gp-48l06.iad9.amazon.com
\nBounces-to: 20103c7b52838824c217f09b0630caf76b94d527f4@bounces.amazon.com
\nX-AMAZON-MAIL-RELAY-TYPE: notification
\nX-AMAZON-RTE-VERSION: 2.0
\nX-Spam-Status: No, score=4.1
\nX-Spam-Score: 41
\nX-Spam-Bar: ++++
\nX-Spam-Flag: NO<\/p>\n

<html>
\n<head>
\n <title>Amazon.com - Your Cancellation<\/title>
\n<\/head>
\n<body bgcolor=\"#FFFFFF\" link=\"#0066CC\">
\n
\nDear Customer,
\n<br \/>
\nYour order has been successfully canceled. For your reference, here`s a summary of your order:<br \/><\/p>\n

You just canceled order #859-8266172-041110<\/p>\n

<br \/>Status: CANCELED<\/p>\n

_____________________________________________________________________<br \/><\/p>\n

<a href=\"http:\/\/almedicgroup.com\/robbie.html\">ORDER DETAILS<\/a><br \/>
\nSold by: Amazon.com, LLC
\n<br \/>
\n_____________________________________________________________________<br \/><br \/><\/code><\/p>\n","protected":false},"excerpt":{"rendered":"

I received an item of e-mail reporting to be an Amazon order cancellation. It looked fairly authentic: to the untrained eye with some curiosity, you may be fooled into clicking on the ORDER DETAILS link. If you are in the UK, one of the key clues is the fact that this e-mail is reporting itself … Continue reading Fake “Amazon.com – Your Cancellation” e-mail<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[478,480,479,102,103,104,481],"class_list":["post-1674","post","type-post","status-publish","format-standard","hentry","category-security","tag-amazon","tag-cancel-order","tag-fake-cancel","tag-mailwasher","tag-mailwasher-pro","tag-spam","tag-your-cancellation"],"_links":{"self":[{"href":"http:\/\/www.craigmurphy.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1674","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.craigmurphy.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.craigmurphy.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.craigmurphy.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.craigmurphy.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1674"}],"version-history":[{"count":10,"href":"http:\/\/www.craigmurphy.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1674\/revisions"}],"predecessor-version":[{"id":1684,"href":"http:\/\/www.craigmurphy.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1674\/revisions\/1684"}],"wp:attachment":[{"href":"http:\/\/www.craigmurphy.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1674"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.craigmurphy.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1674"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.craigmurphy.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1674"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}