« Fix for MovableType loses ability to assign categories to entries | Blog Home | Java is most exploited browser plug-in. Disable if not needed! »

Bookmark and Share

Anatomy of an email scam spoofing FedEx and Post Office

Christmas Eve, 2012

I want to alert my readers to a spam run I saw over the last couple of days and also explain what the purpose of the scam really is. This is a new variation of a long-running scam spoofing both your Post Office and a major brand courier service, leading directly to a malware attack.

This particular variant may well become the template for ongoing spam campaigns, if the success rate is high enough. Right now, 'tis the season to receive gifts and the bait in this email scam may well trap a lot of eager folks who just may be waiting for a promised delivery of a present or online purchase.

It starts with a message claiming to be from either "Worldwide Express Mail," or "Shipping Service," or "Postal Service," with an incomprehensible "tracking" or ID number as the subject. Most have this body text, or something almost the same as this:

Your parcel has arrived at the post office at December 20.Our courier
was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show
this receipt.


Best Regards, The FedEx Team.

Here is where wisdom and suspicion are your best friends. The message text contains horrible grammar, and both a reference to a "POSTAL RECEIPT" and to "FedEx." I hope that most of you are aware that FedEx is a courier service and is NOT associated with the "Postal Service," nor do they issue "Postal Receipts." You Country's official Postal Service does that. Yet, almost every email courier scam I have seen over the last year confuses at least two, if not three services: the US Postal Service (USPS), FedEx (a private company) and UPS (United Parcel Service).

If you receive one of these failed delivery scams and you see any sign of confusion about who was supposedly delivering the package, usually accompanied by bad grammar and sentence structure, delete it immediately.

So, if this is a scam, what is the payload and what is its purpose?

In some of the courier scams you are presented with an attachment (attached file). In others you are given a clickable link. Both of these methods are used to deliver malicious executables to your computer. But, in these current scams there is a link that downloads what would usually be an attached "Zipfile," which contains a concealed executable with the same name as the Zip file. In the current scam, the carrier file is named: "PostalReceipt.zip" and the unzipped executable payload is named "PostalReceipt.exe."

These files are not hosted by the Post Office, Postal Service, FedEx, or UPS, but are hosted on infected computers. Their job is to present you with a pop-up download box, offering the options to Open/Run or Save the Zip file. The payload is disguised as a printable receipt that one needs to claim their undelivered package, so it is understandable that many unwary people might choose to open or run that file.

What is inside PostalReceipt.zip and PostalReceipt.exe?

The Win32/Kuluoz.B Backdoor Downloader Trojan.

Once activated, this malware silently proceeds to download other malware, such as bank account stealing Trojans, or fake anti-virus, like the current crop of rogues called "Microsoft Antivirus 2013." This malware begins to scan your computer and displays an alarming number of fake detections of bad software, then tries to scam you into paying about a hundred bucks to remove the alleged threats. Other payloads may be a type of malware that locks your PC until you pay a (Police, FBI, etc.) ransom, which they call a "Fine."

If you read this before you encounter one of these scams, you will save yourself the trouble or expense of disinfecting your computers. If you fall for one that delivers a banking Trojan, you may not have any money left in your bank account to pay anybody to disinfect the PC!

These threats morph every few days, or on a weekly basis, as does the file names in the attachments, or at the end of poisoned links. Don't assume that your anti-virus already knows about these new files. It may or may not. It really takes about a day before all of the major anti-malware companies identify these variants and push out definitions to block them. You are the first line of defense! Stay alert now and forever! The bad guys really are out to get us. Chance favors the prepared mind.

If you did click on a poisoned link, you need to disinfect your computer. Here are some options for you to employ:

Have a safe, virus-free and very Merry Christmas!

Bookmark and Share  

Trend Micro Internet Security products, for home and office users, use in-the-cloud malware definitions that are updated every day, all day, as soon as new or altered strains of viruses and other malware are detected in the wild and analyzed. By offloading the bulk of these ever changing virus definitions to cloud servers, the load on your computers is greatly reduced. All users of Trend security programs are instantly protected from hostile web pages laden with malware exploits and hostile email, by the Trend Micro Smart Protection Network.

Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Powered by
Movable Type 4.38

About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security and combating spam. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.

We are hosted on Bluehost and couldn't be happier!

Fight website spammers