Mixed up malware spammer, confusing UPS with FedEx
October 23, 2012;
Spam email containing malware in attachments is nothing new to most of us Netizens who have been online long enough to have our email accounts harvested by spammers. Most of the time we have to take a close look at the content of any email message to see if it might be a scam, even if it comes from a sender whose name or company we recognize. Not so with the spam message I received around midnight Oct 22, 2012.
Most of us have received email scams spoofing UPS, or FedEx, other courier services and some can be pretty convincing. But I have to rate this message with a BIG FAIL! You have to read this mangled English text that I found inside a scam spoofing both UPS AND FedEx.
From: "ups" <firstname.lastname@example.org>
Subject: Your Package FE N75985662
fedex.com|Ship|Track|Manage|Office/Print Services (missing hyperlinks, just text!)
We apologize, but it seem so, that we not can deliver your package. One of our trucks is burned tonight. In attachment you can find a form for insurance. Please fill it out and send it us urgent, because we must told amount of damage to the Insurance company.
If you looked at the From field in your email client, it would clearly claim to be from "ups" and "email@example.com." Note the Subject, which contains an alleged shipping code beginning with "FE" - belonging to FedEx, not UPS! This shows confusion on the part of the spammer who composed the template for the spam run.
The message, when opened, is missing some of the images it tried to steal from the FedEx servers. But, the best giveaway that this is a scam is the horrible English grammar in the hook text. It is so poorly worded that a 10 year old should see it as a scam. Check out these badly worded phrases:
- but it seem so...
- One of our trucks is burned...
- In attachment...
- send it us urgent...
- we must told amount of damage...
The attachment in this case was a Zipfile named "Fedex_ID99278-3P.zip" - containing a malware backdoor installer and Trojan loader, called "W32.Cridex" by Symantec.
For your own safety, when you receive email messages, note the Sender's name, email address and domain, subject and body text. If the message claims to come from a company, the names should be consistent in all of these areas. No matter what language it was composed in, the grammar should be correct and businesslike. No actual company with a known brand name will ever send out an email with such horrible use of language/grammar as the above example.
Always keep an anti-malware or anti-virus program active on all of your computers and smart phones/tablets that connect to the Internet. But, you are the first line of defense against scams. Use the common sense God granted to you when reading email messages! Many spammers and scammers are located in distant Countries and English is not their first language. Some may even use dictionaries to translate templates composed by other spammers, who are usually located in Eastern Europe. Poor grammar and spelling is a dead giveaway that the message is a scam of some kind.
Trend Micro Internet Security products, for home and office users, use in-the-cloud malware definitions that are updated every day, all day, as soon as new or altered strains of viruses and other malware are detected in the wild and analyzed. By offloading the bulk of these ever changing virus definitions to cloud servers, the load on your computers is greatly reduced. All users of Trend security programs are instantly protected from hostile web pages laden with malware exploits and hostile email, by the Trend Micro Smart Protection Network.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.