Photo: Anadolu Agency/Getty Images

You get an email about an order from Amazon or Apple you’re not quite sure you placed — but who knows in the last-minute rush to make the Christmas deadline? You click through to see what exactly you ordered, and congrats, you’ve just got spear-phished. Happy holidays!

Two recent phishing attacks outlined over at Bleeping Computer, work slightly differently but use the same basic principle to lure users in: send them a receipt for a purchase, get them to click through to a link to see what the purchase was for, and then hope the user makes some unwise choices.

A fake Apple receipt PDF. Photo: Bleeping Computer

In the Apple attack, users received an email with a PDF attachment about a recent purchase from the App Store. Downloaded, the PDF shows a receipt for a large in-app purchase. There’s also a helpful link in case you didn’t authorize spending a bunch of money on 8 Ball Pool recently, which takes you to a portal where you can log in with your Apple credentials. Anyone who follows through gets an alert that their Apple account “has been locked for security reasons.” To unlock it, the victim needs to fill out a form with their full name, address, telephone number, social security number, date of birth, credit card info, and security questions like your mother’s maiden name. Enter all that information, and the portal dumps you back onto a real Apple site — at which point the hackers have more than enough information to completely steal your identity.

The Amazon receipt version is slightly more complex, but it’s the same basic idea: a fake receipt with minimal information is sent via email, with a click-through link to malware-infected “Order Details.”

A fake Amazon receipt, with a link leading to malware-infected document. Photo: Bleeping Computer

Clicking the link downloads a file called “order_details.doc.” That file prompts users to to “Enable Content” in order to view it, which then allows the file to use a series of macros to install a Trojan horse malware — either mergedboost.exe or keyandsymbol.exe — which runs secretly in the background of users’ computers, logging every keystroke, stealing account info, and doing other things you generally wouldn’t want to have happening on your PC.

There are red flags for the wary in both instances — Apple doesn’t send PDF receipts for purchases, and Amazon would never have you download a .doc file to see order details. But spear phising is a numbers game. While plenty of people may be savvy enough to stop before giving away all their personal info or installing malware, a decent number will be duped, making it profitable for hackers run the schemes — particularly during a hectic holiday season where you may not remember every single purchase you’ve made.