McAfee Labs

Newegg Password Reset Scam: a Harbinger of Threats to Come?

By on Aug 25, 2010

This blog was updated at 1.15 pm Pacific time on Aug. 26.

McAfee Labs has detected a new strain of spam in the wild that is not only a sophisticated forgery of a Newegg purchase receipt, but there is also some indication that the botnet may be attempting to abuse Newegg’s password reset system to further the scam.

password reset

In less than 1 percent of the cases, the spammers appear to be taking advantage of the password reset option on the Newegg website to generate an email to the victim announcing that a password reset is required. This ruse cannot be used to determine if an account exists because the Newegg site returns the same text if you request a password reset on an actual or nonexistent account. So directory harvesting does not appear to be the attackers’ goal. Newegg’s password reset option is not protected by any sort of CAPTCHA authentication unless the account has received multiple requests for a password reset, so this process could be scripted as part of the spam campaign. The password reset request does not actually reset the password unless the recipient clicks on the email that is sent and even then the password reset request does not indicate the account has been compromised. In all likelihood this scam is designed to make the recipient anxious by suggesting an unauthorized individual has attempted to access the account.


Anxiety and frustration are common emotions exploited by spam and phishing messages to make a victim click on a malware link without thinking. One common trick is to send a purchase confirmation email to a recipient, who is likely to click on the attachment or the link because he or she is afraid or is convinced that someone has already hacked the account. To continue the scam: The victims receive a forged Newegg purchase receipt shortly after seeing the legitimate password reset notice. If recipients are anxious about account tampering, they may be willing to release a quarantined spam message that claims to be a purchase receipt because they feel their accounts may have been compromised.


This spam mail appears to be associated with the Cutwail botnet, which is the second-most prolific botnet in detected infections. (Rustock is number one.) Cutwail has the highest number of infections detected in Russia, India, and Brazil. We do not know if every recipient of a Newegg spam has received a password reset notification before the spam mail arrived, but McAfee TrustedSource™ has detected a 233 percent increase over the average mail flow coming from Newegg IP addresses today.


The spam mail not only mimics the look and feel of a Newegg email, but also forges the RFC 821–received headers to pretend that it originated from Newegg servers. The email contains an HTML attachment that uses obfuscated JavaScript to forward the victim to a domain which attempts to deliver fake anti-virus software or other malware to the recipient.

This is a powerful scam: It combines forgery techniques to fool the victims, techniques to fool the filters, and outright abuse of the Newegg corporate infrastructure to scare the recipients of the malicious emails. Techniques like this are not new, but the combination of three in one package is rare. Administrators should be aware of this campaign and inform their users not to be fooled by the purchase receipt. Users who want to check their Newegg accounts should not use any links in an email but should go straight to

Newegg says it is investigating this issue to determine any customer impact and that it is researching any actions the company may need to take to help its customers avoid phishing scams that take advantage of their brand.