Special Delivery: Malware via UPS Email Scam

ups_parcel

A new cyberscam attempts to spread malware through fake delivery rescheduling emails from UPS. Emails contain a malicious link disguised as a package tracking number. Recipients who click on the link initiate a zip file download that contains the malware in an executable file.

Cisco Systems has noted a significant increase in attempted malware campaigns that perpetuate via this scam on networks supported by its equipment. According to that alert, the fraudulent email uses the following text:

At the request of the shipper, please be advised that delivery of the following shipment has been rescheduled.
Important Delivery Information
UPS
Discover more about UPS:
Visit ups.com
Tracking Number: 1Z522A9A6892487822
Rescheduled Delivery Date: 14-April-2014
Exception Reason: THE CUSTOMER WAS NOT AVAILABLE ON THE 1ST ATTEMPT. A 2ND ATTEMPT WILL BE MADE
Exception Resolution: PACKAGE WILL BE DELIVERED NEXT BUSINESS DAY.
Shipment Detail 1Z522A9A6892487822
This e-mail contains proprietary information and may be confidential. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this message is strictly prohibited. If you received this message in error, please delete it immediately.
This e-mail was automatically generated by UPS email services at the shipper’s request. Any reply to this e-mail will not be received by UPS or the shipper. Please contact the shipper directly if you have questions regarding the referenced shipment or you wish to discontinue this notification service.
© 2014 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS’s privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.
This communication contains proprietary information and may be confidential… If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Notice
Contact UPS

Cisco’s full report, which contains filenames for the malicious files and an MD5 checksum for the email, can be viewed in full here.

A Dangerous Package

The nature of this latest campaign suggests that it targets employees working at medium-sized companies to large corporations. We can infer this from the make-up of Cisco’s clientele. What is also interesting, however, is the pretense of the scam; namely, it is designed to fool someone who might have recently ordered a package online. In today’s delivery on-demand environment, this could include just about anyone. This technique is by no means new.

Cisco’s alert does not delve into the details of the malware included in the malicious link, most likely because they have observed a wide variety of threats. In the past, Emsisoft has seen similar spam campaigns utilizing fake emails from Western Union, DHL, and Fed Ex to spread the Sasfis malware, which our software detects as Trojan-Dropper.Win32.Oficla.

To protect yourself from this latest spam campaign, we recommend, as always, caution when dealing with unsolicited emails. Delivery tracking number scams are particularly effective at spreading malware because most people don’t have the time to investigate the number that is sent, to make sure that it matches their official one – especially when that number is packed into a message as dense as the one intercepted by Cisco. It’s for this reason that we have designed Emsisoft Anti-Malware to prevent infection from malicious links for you. Our technology combines a malware signature database of over 12,000,000 variants with Behavior Blocking technology that recognizes malicious background processes attempting to reconfigure your computer.

In the event that you or someone you know may have become infected by any malware propagated by the UPS tracking number scam, please don’t hesitate to contact our experts at the Help My PC is Infected! support forum. Having dealt with more than a few dangerous packages, they’re kind of like a digital bomb squad – and their services are free even if you’re not an Emsisoft customer yet.

Have a nice (malware-free) day.

  • Legend

    They are getting better and better in creating convincingly phishing emails, created to drop malware in links, or just plain phishing for personal informations.In the start many such emails was easily spotted due to a lot of wrong syntax and spelling errors.But that is definitely not the case anymore. But if you have any doubt about the true nature or intent of a email, then is better to just delete it. Better safe than sorry, just my point of view :-))