Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

A fake FedEx email claims your parcel includes an item forbidden for shipment.

Links go to cracked websites with malware or virus downloads, which can affect mobile devices also.

This is a new incarnation of the "DHL Pack Station" series virus email, may be part of Asprox botnet. Check out Rebus Snippets' excellent writeup of the Asprox Malware system.

http://techhelplist.com/index.php/spam-list/196-your-order-fake-dhl-malware


Subject: Delivery Notification

Subject: Ship Notification

Subject: Delivery Status Notification

[FedEx Logo]

Dear Client,

Your parcel includes an item forbidden for shipment.

More detailed information can be seen on a shipment label.

Print Shipment Label

FedEx Customer Service Team.
FedEx 1995-2013

Fake FedEx email claims item forbidden, links to malware sites.


Header samples:

Received: from digitalposterframe.com [24.214.137.250]
X-Envelope-From: delivery.id34 @digitalposterframe.com
From: "Economy Shipping" <delivery.id34 @digitalposterframe.com>
Subject: Ship Notification

Received: from picsinthepost.com [173.19.183.69]
X-Envelope-From: manager_id77 @picsinthepost.com
From: "Postal Service" <manager_id77 @picsinthepost.com>
Subject: Ship Notification

Received: from gruposterk.com [207.145.216.126]
X-Envelope-From: status_id02 @gruposterk.com
From: "Mail International" <status_id02 @gruposterk.com>
Subject: Delivery Status Notification

Received: from thepostdatingonline.com ([38.100.192.132]
X-Envelope-From: status_id69 @thepostdatingonline.com
From: "Postal Service" <status_id69 @thepostdatingonline.com>
Subject: Delivery Notification

Received: from americanlegionalafiapost148.com (....23.no.no.cox.net [70.183.115.123]) X-Envelope-From: information_31 @americanlegionalafiapost148.com From: "Postal Service" <information_31 @americanlegionalafiapost148.com>

Link Examples:

The links go to cracked websites. The download will either fake a 404 error or send you a download depending on your user-agent string and IP address. A separate server provides the download, these links go to the middle man.

www.heuzeroth.eu /img/get.php? i_info=ss00_323
www.electrobaby.de /img/get.php? i_info=ss00_323
andiburns.de /img/get.php ?i_info=ss00_323
daten.nussbaum-medien.biz /img/get.php ?i_info=ss00_323
amberger-rrc-schubidu.de /img/get.php ?i_info=ss00_323
htp.aasolutionsweb.com /img/get.php ?i_info=ss00_323

... which using a windows firefox user agent I got a zip containing ShippingLabel.exe

Symantec 	        WS.Reputation.1 
Kaspersky UDS:DangerousObject.Multi.Generic
Sophos Mal/Weelsof-E
McAfee Artemis!3489157DF74A

 

If this was at least a little helpful, how about a +1, Like, or Tweet?

{jcomments on}