“Please attention!” fake DHL delivery emails contain malware

It’s another day, which means (almost inevitably) there’s another malicious email campaign carrying a fake anti-virus attack.

 

Once again the bad guys are packaging their attack in an email which claims to come from DHL Delivery Services.

 

A typical email, which has the subject line “Please attention!”, reads as follows:

Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Delivery Services.

Attached to the email is a file called label.zip, which Sophos detects as Troj/FakeAV-BEG. Even though there is some peculiar wording (and spelling) in the email it’s possible that some unwary users might fall into the hacker’s trap, and open the malicious attachment.

 

We are seeing many reports of this attack in our global network of traps right now.

If you receive one of these emails, don’t open the attached file as you could be putting your computer at risk of infection and allowing hackers to compromised your PC.

 

By Graham Cluley, Sophos

 

Account notification email warning? Don’t follow the instructions

If you’re returning to an overflowing inbox after the Easter holiday weekend, make sure that you don’t fall for the latest scam being distributed widely by spammers.

 

Emails claiming that recipient’s accounts have been temporarily suspended are being seen around the world today, attempting to trick users into believing that their email account has been accessed by somebody else.

 

The spammed-out emails try to hoodwink users into running the attached file (Instructions.zip) which is, predictably, carrying a malicious payload.

Dear Customer,

This e-mail was send by example.com to notify you that we have temporanly prevented access to your account.

We have reasons to beleive that your account may have been accessed by someone else. Please run attached file and Follow instructions

(C) example.com

 

In an attempt to make the email more convincing, the attackers reference the domain name (for instance, example.com) used by the recipients’ email account in the emails they are spamming out.

 

Sophos detects the malicious attachment proactively as Mal/FakeAV-BT and Mal/BredoZp-B, but users of security products from other vendors would be wise to ensure that they are properly updated and protected.

 

The hackers are once again using a tried-and-trusted social engineering trick (in this case trying to fool you into believing that your account has been compromised) to lure you into the serious mistake of opening the attached file.

 

Wiser computer users should have learnt by now that you should always be extremely suspicious of unsolicited attachments.

 

 

By Graham Cluley, Sophos

 

Related Blogs

Beware airplane ticket N648365 – it contains malware

The bad guys are up to their old tricks again, spamming out malicious attachments posing as airline tickets.

 

The latest attack, which we’re seeing in many of our spamtraps around the world, poses as an email from Delta Air Lines.

 

Here’s a typical message:

Subject: Online order for airplane ticket N648365
Message body:
Good afternoon,
Thank you for using our new service "Buy airplane ticket Online" on our website.
Your account has been created:

Your login: [removed]
Your password: G6vFjbdp

Your credit card has been charged for $998.63.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%! Attached to this message is the purchase Invoice and the airplane ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
Delta Air Lines

Attached file: eTicket.zip

 

Of course, even if you haven’t booked an airline ticket you may still very well open the attachment – especially if you believe your credit card may have been charged for such a large amount of money!

 

Sophos detects the malicious file attached to the emails as Mal/BredoZp-B and Mal/EncPk-MP. Users of other anti-virus products are advised to ensure that they are up-to-date and capable of detecting this email-borne threat.

 

By Graham Cluley, Sophos

 

 

Related Blogs

Malware attack spammed out disguised as email settings file

Sophos is intercepting a large number of malicious emails that have been spammed out around the world, posing as a new settings files for internet users’ email systems. However, attached to the emails is a Trojan horse.

 

Each email is carefully disguised in an attempt to lure the recipient into believing they are genuine. For instance, they use the recipient’s email address in the subject line and pretend to come from the support team at the recipient’s email domain:

A typical malicious email reads as follows (I’m assuming the user’s email address is username@example.com below):

Subject: A new settings file for the username@example.com has just be released

Attached file: settings.zip

Message body:
Dear use of the example.com mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox username@example.com settings were changed. In order to apply the new set of settings open zip attached file.

Best regards, example.com Technical Support.

Although the hackers behind this attack have clearly put a little thought into how they might infect as many people as possible, they have made some grammatical mistakes which may tip off potential victims that the emails are not genuine.

For instance, the subject line of

A new settings file for the username@example.com has just be released

is very clumsy.

 

Attached to each email is a file called settings.zip, which contains a copy of the Troj/Bredo-BE Trojan horse.

 

Stay on your guard against attacks arriving via email. Although we see many web-based attacks these days, the rumours of the death of email-based malware are greatly exaggerated.

 

By Graham Cluley, Sophos

 

 

Malicious bogus DHL and FedEx emails bombard inboxes

We are currently seeing a large number of malicious emails purporting to be sent from FedEx or DHL, but containing attachments designed to infect your computer.

 

It’s a familiar story. In the case of the malware attached to the emails coming from DHL, the communication claims that there has been an error in the delivery address, and so you are invited to pick up the parcel “at our post office personaly” (spelling has often been the downfall for would-be hackers).

 

If the poor spelling doesn’t set your alarm bells ringing then you might be foolish enough to open the attached shipping label (we have seen examples where this can be called DHL_print_label_75ba9.zip or DHL_print_label_9731b.zip)

 

Sophos detects the attached malware as Troj/BredoZp-A or Mal/Bredo-A.

 

On the SophosLabs blog, Prashant has written about a similar campaign claiming to come from FedEx, carrying an infected invoice in the form of a file called TR768212.zip.

 

The thing which is most notable about these current spammed-out attacks, though, are their ferocity. Take a look at what our email malware traps intercepted in a less than two minute interval:

 

Dangerous emails claiming to come from courier companies are nothing new – it has become a standard method by which hackers can socially engineer you into opening a malicious attachment or clicking on a dangerous link.

 

Make sure that you and your colleagues are wise to the trick – and think before you click.

 

by Graham Cluley, Sophos