Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

A fake FedEx email claims your parcel includes an item forbidden for shipment.

Links go to cracked websites with malware or virus downloads, which can affect mobile devices also.

This is a new incarnation of the "DHL Pack Station" series virus email, may be part of Asprox botnet. Check out Rebus Snippets' excellent writeup of the Asprox Malware system.

Subject: Delivery Notification

Subject: Ship Notification

Subject: Delivery Status Notification

[FedEx Logo]

Dear Client,

Your parcel includes an item forbidden for shipment.

More detailed information can be seen on a shipment label.

Print Shipment Label

FedEx Customer Service Team.
FedEx 1995-2013

Fake FedEx email claims item forbidden, links to malware sites.

Header samples:

Received: from []
X-Envelope-From: delivery.id34
From: "Economy Shipping" <delivery.id34>
Subject: Ship Notification

Received: from []
X-Envelope-From: manager_id77
From: "Postal Service" <manager_id77>
Subject: Ship Notification

Received: from []
X-Envelope-From: status_id02
From: "Mail International" <status_id02>
Subject: Delivery Status Notification

Received: from ([]
X-Envelope-From: status_id69
From: "Postal Service" <status_id69>
Subject: Delivery Notification

Received: from ( []) X-Envelope-From: information_31 From: "Postal Service" <information_31>

Link Examples:

The links go to cracked websites. The download will either fake a 404 error or send you a download depending on your user-agent string and IP address. A separate server provides the download, these links go to the middle man. /img/get.php? i_info=ss00_323 /img/get.php? i_info=ss00_323 /img/get.php ?i_info=ss00_323 /img/get.php ?i_info=ss00_323 /img/get.php ?i_info=ss00_323 /img/get.php ?i_info=ss00_323

... which using a windows firefox user agent I got a zip containing ShippingLabel.exe

Symantec 	        WS.Reputation.1 
Kaspersky UDS:DangerousObject.Multi.Generic
Sophos Mal/Weelsof-E
McAfee Artemis!3489157DF74A


If this was at least a little helpful, how about a +1, Like, or Tweet?

{jcomments on}