Capitalizing on the Holidays: FedEx Malware Spam
Written by Malcolm James on December 17, 2012
Like Santa Claus and his cadre of industrious elves, spammers don’t take time off for the holidays. Unlike the jolly old elf and his posse, however, the email-happy scam artists are devious, black hearted little children who deserve giant lumps of coal. This is no truer than this time of the year, when retail sales explode, and the average gift buyer tries to stay ahead of the game by stumbling through the dizzying maze of online shopping opportunities. Online purchases require shipping, and spammers know that, too. So it shouldn’t be surprising, even if it is disheartening, that there are dark souls out there capitalizing on the probability that their targets might have ordered something – perhaps the Clapper or Chia Pet that I clamor for every year and, sadly, never get – and will become the proverbial fly to the spammer’s spider.
That’s why, in the confusing mayhem of the holiday season, anyone who uses email should be aware of the latest scam, this one in the form of a very realistic looking email that appears to come from Federal Express. Being reported by several sources, the bogus email appears to be the real thing, FedEx logo and all, with a notification that the recipient has a parcel they need to pick up.
“Dear Customer, Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you. To receive a parcel, please, go to the nearest our office and show this postal receipt,” the email states, according to Softpedia.com.
The so-called postal receipt is a clickable icon that uses a document icon to make it appear more…well, document-y. And when it’s clicked, a ‘document reader’ application launches, giving the appearance that everything is good in Chia Pet land.
However, Softpedia reports, “in the background, the malicious element injects code into svchost.exe and contacts its remote command and control server in an attempt to download the payload.”
Chris Boyd over at GFI Labs notes that some browsers will pick up the dirty little piece of code and give you the option to block its download, but also that the resulting file may still end up on your system as a Word Document file pretending to be a zip file.
“Opening the “Word document” (which is actually just an executable file in disguise) will infect your PC with a little something we detect as Trojan.Win32.Generic.pak!cobra,” Chris tells us. “Before you know it, your Trojan chum will delete the original file, create hidden files and make network connections…generally not typical behaviour where a postal receipt is concerned (unless you live in the Eighth Circle of Hell).”
Firmly convinced that the real estate costs are artificially inflated and that the neighborhood is overly pretentious, I personally do not live in the Eighth Circle of Hell, but I get Chris’s point. Do not click this link, ever. Boyd points out that GFI research has linked this type of infection to ransomware, so getting nailed by this email may turn your PC into a package that no amount of ripping and tearing will open.
“These infection files have been linked to Ransomware, in this case something called “Wheelsof” and you may well find yourself locked out of your PC if unfortunate enough to fall for this one.”
It’s pretty clear that spammers, no matter how slippery they might be, are just about as stupid as an empty bucket. In an ROTFLMAO moment, Chris points out that the email message appears to come from “UPS Office” but closes with “The FedEx Team.” (you can read the full text of the email on the GFI Labs blog) As Forrest Gump’s mother used to say, “stupid is as stupid does,” and Boyd gives the spammers an F for flumped.
“A lot of these fake delivery notices are pretty convincing, but hopefully the peculiar mashup of FedEx and UPS is the kind of tip-off that’s up there with Pippin lighting the Warning Beacons of Gondor.”
Lord of the Rings reference accepted, this is a dangerous email. It should be noted that shipping company spam messages aren’t unusual. In fact, a quick Google search shows that spams pretending to be FedEx shipping notices are quite common, giving us comfort in the knowledge that spammers are douchebags all year long.
Loading ...
I haven’t received anything like this, thank God. But I must say this is a very clever ad. I even think that given my knowledge in spam, I will be tempted to still click on the supposed link. It sounds very neat. It’s clean, it’s grammatically understandable, and it’s professional sounding. It could have been perfect, really, if the header or the From field also says FedEx. But then again, if it weren’t for this mistake, more people would have fallen into this malware and compromise data stored in their computers. So yeah thanks for the mistake.
Yep, this one looks very convincing! Since the days right before Christmas are the time to receive gifts ordered online, for example, this scam is very trustworthy. Thanks for notifying us – otherwise I see many people who will easily fall for it because it is so authentic-looking.
Look out for Fed-Ex spam, too. Creepy.
Got this yesterday. Apparently the FedEx package is waiting for me at the post office? Awkward sentence structure, too. But as someone waiting for holiday orders to come in and expecting packages from relatives, I thought about it…
I’m passing on the warning to friends.
************
FedEx
Order: VGH-7840-9997774307
Order Date: Friday, 14 December 2012, 01:21 PM
Dear Customer,
Your parcel has arrived at the post office at December 20.Our courier was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this receipt.
DOWNLOAD POSTAL RECEIPT
Best Regards, The FedEx Team.
That’s a very interesting spam. In fact, I don’t want it to call it spam but rather a prank—well, a more serious prank. To tell you honestly, I was amused! It’s a good tease at FedEx and UPS. By the way, this reminds me of the video I saw a few days ago, about some FedEx guy leaving an iPad delivery at the door and a UPS guy eventually stealing it. Anyway, these two large couriers should pay attention to this stat since obviously the spammer is taking advantage of the holiday season. A lot of people are waiting for their packages and thus are more likely not to be mindful of the small inconsistent details of this e-mail once they received this.
I actually have 3 in my inbox as I write.
Very sneaky, slimy spammers these! We’ve had four so far in the last couple days…and they look about as real as they come, in terms of capturing the FedEx logo. Scan reading, it was easy enough to seem believable. They were even clever enough to put the copyright sign with dates at the bottom!
What stopped me was remembering that FedEx, like UPS, leaves a slip to sign or take into the FedEx office, if your package is undeliverable.
But…we were waiting for packages. Had FedEx changed their protocol? Closer reading revealed terrible grammer and poor sentence structure, and even a word missing here and there. Thank God my English major came in handy.
Here’s one we got so you can see for yourselves. I’ll be spreading the word – to FedEx, friends and family, and via my social media accounts.
=============================
FedEx
Order: VGH-9106-2024138653
Order Date: Friday, 14 December 2012, 01:21 PM
Dear Customer,
Your parcel has arrived at the post office at December 20.Our courier was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this receipt.
DOWNLOAD POSTAL RECEIPT
Best Regards, The FedEx Team.
======================
sigh
Anyone with a moderate grasp of English grammar would not be fooled by this silly email. Your parcel “has arrived” on a particular date? No; rather, it “arrived” on a particular date. It arrived “at” the fourth of December? No; rather, it arrived “on” the fourth of December. Go to the nearest “our post office” rather than the nearest “post office”? And why is “please” bracketed by commas when only the first comma is necessary (not to mention most conducive to meaning)?
I’m no fan of spam, but anyone fooled by this email hopefully received a remedial grammar book in his or her FedEx package….
Steve, that’s REALLY scary! It’s a good thing, though, that you didn’t open any of them. Is it because you’ve already read this blog? Good for you, because I know a friend of mine almost fell into it, if not for this blog link I had sent two days before he received the fake message. But he said that it really sounded kind of authentic.
I think that’s how spam is going to sound from now on. They’re getting really smarter, and I think they’re taking the time now to really study how good e-mail messages look like.
Thanks to this blog I didn’t open these messages. I have 2 sitting in my gmail spam folder and was pretty tempted to click on the links. Who doesn’t want a parcel? Tricky tricky…
Thanks to gmail putting these messages into spam I haven’t been tempted to click on them but I have received loads, just searched today to see what it was and now thankful I haven’t clicked on where it says print receipt
If you have any of these emails you can send them to abuse@fedex.com
Just got this today. They’ve cleaned up the language, so it now reads:
FedEx
Tracking ID: 3454-54769042
Date: Monday, 18 February 2013, 10:22 AM
Dear Client,
Your parcel has arrived at February 25.Courier was unable to deliver the parcel to you at 25 February 06:33 PM.
To receive your parcel, please, print this receipt and go to the nearest office.
Received it a few days ago, and tried opening it as I did not suspect it was a spam. The attachment did not open. Can anyone tell me this is okay if the attachment is not opened? I have virus protection software on my laptop. Will that help screen out the malware? Help!!!
I’ve opened 2 of them as I’m expecting a parcel! What do I do now???