Disturbing email from Amazon!

One of my client recently called me about an eMail received which seemed to have come from Amazon and which seemed to be costing around £2,500!

What it said was...

Dear Customer,

Thank you for ordering from our internet shop. If you paid with a credit card, the charge on your statement will be from name of our shop.

This email is to confirm the receipt of your order. Please do not reply as this email was sent from our automated confirmation system.

Date : 08 Oct 2006 - 12:40
Order ID : 37679041

Payment by Credit card

Product : Quantity : Price
WJM-PSP - Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99

Subtotal : 2,449.99
Shipping : 32.88
TOTAL : 2,482.87

Your Order Summary located in the attachment file ( self-extracting archive with "37679041.pdf" file ).

PDF (Portable Document Format) files are created by Adobe Acrobat software and can be viewed with Adobe Acrobat Reader.
If you do not already have this viewer configured on a local drive, you may download it for free from Adobe's Web site.  

We will ship your order from the warehouse nearest to you that has your items in stock (NY, TN, UT & CA). We strive to ship all orders the same day, but please allow 24hrs for processing.

You will receive another email with tracking information soon.

We hope you enjoy your order!  Thank you for shopping with us!

On the face of it, it looked as though it might be real... had someone got hold of credit card details or was it just a scam?

As ever, we start by looking at things closely for clues...

The first thing of suspicion was that it is dated October 8th but it arrived on October 13th.

The next thing was that they claimed there to be a self extracting attachment containing 37679041.pdf, however, the attachment was order_37679041.zip, which is not self-extracting. Looking at its contents with winzip reveals that it contains order_37679041.exe, not the file they mentioned.

While this could be a self extracting archive, they wouldn't then embed it in a zip file!

Further examination was done by looking at the actual message headers of the email and it contained (among other things)

X-Account-Key: account2
Return-Path: <drapery@exc.com>
Received-SPF: none (mxeu7: 201.81.59.246 is neither permitted nor denied by domain of exc.com) client-ip=201.81.59.246; envelope-from=drapery@exc.com; helo=c9513bf6.virtua.com.br;
Date: Fri, 13 Oct 2006 15:35:38 -0200
From: customercare@amazon.com
Message-ID: <27032496.48506096@swirl.com>
Subject: Order ID : 37679041

In particular we note that the return path is nothing like amazon!

So what about that attachment?

Quite simple; it contained a virus but, of course, there would have been no danger to you cos you're all well protected, aren't you?