Hackers Using Fake ‘Order Confirmation’ Emails to Hijack Computers

Cyber thieves are taking advantage of shoppers this holiday season with a devious email scam that can prove costly.

According to a report by Internet security company Malcovery, hackers are spamming email accounts with phony order confirmation messages claiming to be from popular retailers like Home Depot (NYSE:HD), Wal-Mart (NYSE:WMT), Target (NYSE:TGT) and Costco (NASDAQ:COST). The notifications are sent with company markings to appear as though they are authentic.

The fake messages contain a tainted link which, if clicked, takes the victim to an infected website laced with malware that powers the infamous ASProx spam botnet. A botnet is essentially a network of infected computers which are used to carry out a variety of cyber attacks.

According to security blogger Brian Krebs, ASProx is a nasty Trojan that collects email addresses and passwords from its victims and then turns the infected machine into a “zombie” for relaying spam messages. Trend Micro reports that ASProx emerged in 2007 and has since been responsible for a significant portion of the world’s spam.

The phony messages contain a variety of deceptive subject lines, according to Malcovery, which include “Thank you for your confirmation,” “Order Confirmation,” “Thank you for buying from [company name],” “Acknowledgement of Order,” and “Order Status.”

Security experts urge users to exercise caution when opening links embedded in emails, even if they appear to be from legitimate senders.

Cyber security expert and Social-Engineer.com “chief human hacker,” Chris Hadnagy told FOX Business that email scams such as these are all too common.

“Don't just click a link that appears to go to the right place,” Hadnagy said. “Open your browser, go to the URL and log in properly. Clicking that link may save you five seconds, but can cost you thousands of dollars.”

This latest scam is just one of many that shoppers should be on the lookout for this season. Security experts warn that hackers use the holiday buying rush to take advantage of unknowing consumers, often with great success.

Hadnagy urges consumers to be vigilant about checking their online bank statements, and to be particularly wary of suspicious transactions in the lower dollar range.

“Many scammers don't go in for the $5,000 charges but are happy doing $20 to $30 on a thousand people,” Hadnagy said. “Especially during the holidays, a $20 or $30 charge can easily be overlooked.”

In an emailed statement to FOX Business, Wal-Mart said it will update its customer security webpage to include this “order confirmation” email scam.

“We encourage customers to exercise caution when receiving suspicious email and we recommend frequently updating the antivirus software on their computer,” Wal-Mart spokesman Dan Toporek said.

FOX Business has also reached out to Target, Home Depot, and Costco for comment.