Newegg Password Reset Scam: a Harbinger of Threats to Come?

This blog was updated at 1.15 pm Pacific time on Aug. 26.
McAfee Labs has detected a new strain of spam in the wild that is not only a sophisticated forgery of a Newegg purchase receipt, but there is also some indication that the botnet may be attempting to abuse Newegg’s password reset system to further the scam.

In less than 1 percent of the cases, the spammers appear to be taking advantage of the password reset option on the Newegg website to generate an email to the victim announcing that a password reset is required. This ruse cannot be used to determine if an account exists because the Newegg site returns the same text if you request a password reset on an actual or nonexistent account. So directory harvesting does not appear to be the attackers’ goal. Newegg’s password reset option is not protected by any sort of CAPTCHA authentication unless the account has received multiple requests for a password reset, so this process could be scripted as part of the spam campaign. The password reset request does not actually reset the password unless the recipient clicks on the email that is sent and even then the password reset request does not indicate the account has been compromised. In all likelihood this scam is designed to make the recipient anxious by suggesting (continue reading...)