Cybercriminals are targeting online shoppers in the U.S. and Western Europe with fake Amazon gift cards that deliver the the Dridex banking Trojan, the attackers have targeted thousands of victims in the U.S. and Western European countries, where Amazon is a popular shopping destination and has local websites.

Amazon has issued updates about potential scams.

The attackers send a phishing email stating the recipient has received a free Amazon gift card. The email prompts the user to download or link to the gift card, which is contained in a malicious attachment, setting off one of three attack scenarios.

The attackers use malicious Word documents that claim to contain the gift card. The attackers then ask the victims to “enable content” to open the file. At this point, malicious macros are downloaded onto the victim’s device.

“The command opens a pop up with a fake error message, tricking the user into thinking there was an error opening the file, when in fact the macro is being run in the background,” the report notes.

The second method involves the attackers using SCR, or screensaver, files that enable them to bypass email security. The message includes Amazon-themed icons and naming conventions.

These SCR files contain a malicious VBScript, which, when executed, unpacks the Dridex malware for exfiltrating sensitive user data, the report adds.

The final infection vector is a VBScript file that is downloaded via a malicious link found in the body of the email. When clicked, the link executes the Dridex malware.