DHL delivery report email scam delivers malware 'packages'
March 20, 2013
As I predicted on March 17, this week is off to a running start for email-borne malware scams. Today, we are seeing an ongoing spam blast with the subject: DHL delivery report - which contain malware attachments.
Here are some identifying words and phrases you should be looking out for, when (not if) you receive this email message.
Subject: DHL delivery report (or similar)
From: "(A spoofed personal name) - DHL regional manager" <[email protected]>
Body Text: (dozens of lines of HTML precede readable text)
Our company?s courier couldn?t make the delivery of parcel.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: ETBAKPRSU3
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information: If the parcel isn?t received within 15 working days our company will have the right to claim compensation from you for it?s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
The attachment is not a printable label, as claimed, but is the Bredolab botnet downloader/installer.
Do you notice the inconsistency in the name of the company being spoofed and the place you are told to take the printed label? The label is supposed to be taken to "your post office," but the message claims to come from DHL, a private courier service, totally unaffiliated with the US, or Canadian, or Australian, or British Postal Services. You should not allow these errors to get past your bullshit detectors. Neither DHL, nor FedEx, nor UPS would ask you to take a printed form to your "post office!" They are in competition with your Postal Service!
Note the part that tries to panic recipients into acting quickly: "If the parcel isn?t received within 15 working days our company will have the right to claim compensation from you for it?s keeping in the amount of $8.26 for each day of keeping of it" This is meant to goad the recipient into acting on the message (printing the 'label') without thinking it through or paying more close attention to the grammatical errors.
If you fell for this scam, assume that your computer is infected with a botnet controller and possibly information stealing Trojans. If you have anti-virus and/or anti-spyware programs installed, assume that they failed you, until proven otherwise. While I often recommend this or that security program, something else came to my mind for this case. Why scan with one company's security scanner when you can have multiple scans performed under one blanket app?
I am referring to a commercial security program I am affiliated with, named Hitman Pro. It is a specialized 'second opinion' malware detection tool, often employed in malware removal forums. Hitman scans for threats for free. It detects and removes the ZeroAccess Rootkit when others don't. This rootkit is often deployed by botnet installers to protect their ill-gotten access to your computers.
Scanning with Hitman Pro is always free. Removal requires 30 day fully functional free trial, or a purchased license. Start a Free 30 day trial to remove any detected malware, or buy a 1 year, 1 PC subscription for $19.95.
I would take the 30 day free trial and see if Hitman finds and removes malware that you have picked up over the Interwebs. If you are happy with the results, license it for a year. If not, be happy it helped you out one time for free.
Trend Micro Internet Security products, for home and office users, use in-the-cloud malware definitions that are updated every day, all day, as soon as new or altered strains of viruses and other malware are detected in the wild and analyzed. By offloading the bulk of these ever changing virus definitions to cloud servers, the load on your computers is greatly reduced. All users of Trend security programs are instantly protected from hostile web pages laden with malware exploits and hostile email, by the Trend Micro Smart Protection Network.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Movable Type 4.38