UDel inboxes saw a flood of rewards notifications yesterday. Four separate emails claimed to offer loyalty rewards points at RiteAid, CVS, Amazon, and Walgreens, but they all gave tell-tale signs that they’re scams.

First, these emails all came within minutes of each other, and they were sent from some from suspicious third-party addresses instead of anything even remotely resembling the domains of the companies they claim to represent.

Second, they all have erratic capitalization and hyphenation. It’s almost like phishers are obligated to be bad writers. One of them even tried to write a little story for us (see the second image below).

warningimage

Third, they all contained the above imgur.com notification of missing/unavailable images. Although the formatting of the messages may look authentic at first, these missing images indicate that something’s definitely wrong; you never see this kind of thing in legit business mail.

badlinkcropped

Fourth, they all linked to the vpcresthosting address pictured above instead of to any of the retailers’ official Web sites. If you click any of the links, you’ll be redirected to a page that will automatically download malware to your device. Anyone who did click on any links in these emails should immediately scan their device. We found at least six unique instances of malware connected to this phishing campaign.

Click the thumbnails below for enlarged screenshots of the emails in this phishing campaign.

rewardsscam04 weirdtextNOTRelatedtosubjectofmsg rewardsscam03BADQUALITYGRAPHICS rewardsscam02 rewardsscam01