Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

A fake UPS email claims some postal items were lost.

Links go to cracked websites with malware or virus downloads, which can affect mobile devices also.

This is a new incarnation of the "DHL Pack Station" series virus email, This is  part of the Asprox botnet. Check out Rebus Snippets' excellent writeup of the Asprox Malware system.


Subject: Your Parcel Has Been Send

Subject: Parcel Has Been Found

[UPS Logo]

Dear Client,

Due to the Christmas time postal service
overloading some postal items were lost.
Your parcel has been found and sent.

Shipment Label

Copyright 1994-2013 All rights reserved.

Picture of fake UPS email claiming parcel is send with link to virus site.


Header samples:

Received: from thenotchedbedpost.com ([186.90.40.176]
X-Envelope-From: contact_id51 @thenotchedbedpost.com
From: "Standard Shipping" <contact_id51 @thenotchedbedpost.com>
Subject: Your Parcel Has Been Send

Received: from posttraumaticsoul.com [64.57.165.3]
X-Envelope-From: item_81 @posttraumaticsoul.com
From: "Economy Shipping" <item_81 @posttraumaticsoul.com>
Subject: Your Parcel Has Been Send

Received: from clubapostas.com [76.7.31.58]
X-Envelope-From: us.83 @clubapostas.com
From: "Economy Shipping" <us.83 @clubapostas.com>
Subject: Parcel Has Been Found

Received: from midwestpost.com [87.216.18.74]
X-Envelope-From: customer.id48 @midwestpost.com
From: "Standard Shipping" <customer.id48 @midwestpost.com>
Subject: Your Parcel Has Been Send

Received: from postphones4cash.com ([208.47.165.11]
X-Envelope-From: support_id12 @postphones4cash.com
From: "Expedited Shipping" <support_id12 @postphones4cash.com>

Received: from inadposting.com (cust-209.239.180.57.cl.cstel.com) [209.239.180.57] X-Envelope-From: personal_id86 @inadposting.com From: "Logistics Services" <personal_id86 @inadposting.com>
Subject: Parcel Has Been Found

Received: from mission-apostrophe.com (red213-4.lorca.es) [213.0.108.4] X-Envelope-From: federal_id43 @mission-apostrophe.com From: "Priority Mail" <federal_id43 @mission-apostrophe.com>

Received: from server.unlimited.ge (server.unlimited.ge) [80.241.247.197] X-Envelope-From: awwineco @server.unlimited.ge From: "Standard Shipping" <customer_id71 @postopinflam.com>
Subject: Parcel Has Been Found

Link Examples:

The links go to cracked websites. The download will either fake a 404 error or send you a download depending on your user-agent string and IP address. A separate server provides the download, these links go to the middle man.

letssport.de /img/get.php ?q_info=ss00_323
www.gasthofamgasteig.de /img/get.php ?q_info=ss00_323
www.johnvandiepen.com /img/get.php ?q_info=ss00_323
audiolinda.com /img/get.php ?q_info=ss00_323
www.haettich.de /img/get.php ?q_info=ss00_323
www.vincenz-richter.de /img/get.php ?q_info=ss00_323
spd-haidhausen-ost.de /img/get.php ?p_info=891_120621690
sundesire.com /img/get.php ?q_info=ss00_323
eifelfreun.de /img/get.php ?q_info=ss00_323
kinginterior.com /img/get.php ?q_info=ss00_323

Subject: Your Parcel Has Been Send

Subject: Parcel Has Been Found

 

If this was at least a little helpful, how about a +1, Like, or Tweet?

{jcomments on}