Beware of Fake UPS, DHL, Post Express Email Notification

Recently one of my email address has been constantly receiving emails from DHL system, Post Express notification, Post Express Information, United Parcel Service and Post Express Parcel. I started receiving those emails on 9th March and still getting it today. Before we go on any further, please be noted that all those emails are FAKE and containing attachment which are malware that installs fake anti-spyware software on your computer, trying to convince you that your computer has tons of infection and get you to pay them money to register the software. To be honest, I nearly fell for the trick in running the attachment because so coincidentally I was expecting a package from DHL and have signed up for email notification… From:

ioprt14@dhl.com
supportmip11@dhl.com
upder@ups.com
postmail-usid.3949@greensboro.com
dhltrak11@dhl.com
dhltraki1@dhl.com
postmail-usa.8273@omaha.com
infojs@ups.com
adsupport3@ups.com
dfsupports1@ups.com
adminsuppo2@dhl.com
infoad2@ups.com
infoad22@ups.com
finsup4@ups.com
upder4@ups.com
postmail-int69136@durham.com
postservicese2@dhl.com
supportmo@dhl.com

Attachments:

Post_Express_Label_No.30845.zip
UPS-document.zip
UPS notification.zip
United Parcel Service Notification Letter.zip
United Parcel Service document.zip
UPSnotify.rar
Post_Express_Label_SER.71816.zip
tracking.zip
Post_Express_Label_VID99184.zip
document.zip
DHL_documents.zip
UPS.zip
dhl.zip

Message Body:

Dear customer. The parcel was send your home address. And it will arrice within 7 bussness day. More information and the tracking number are attached in document below.

Dear Customer. Email notification No.4185840. Your package has been returned to the Post Express office. The reason of the return is “Error in the delivery address”. Important message! Attached to the letter mailing label contains the details of the package delivery. You have to print mailing label, and come in the Post Express office in order to receive the packages! Thank you for your attention. Post Express Service.

Dear customer. The parcel was sent your home address. And it will arrive within 3 business day. More information and the tracking number are attached in document below. Thank you. © 1994-2011 United Parcel Service of America, Inc.

I ran all of the attachments on my test computer and found a lot of interesting things happening.

– The executable attachment melts and spits out a document.doc file showing details of delivery parcels

– Secretly download and install Win 7 Anti-Spyware 2011 OR Win 7 Anti-Virus 2011 and shows a fake Action Center. Tries to convince you that your computer has viruses so you’ll enter your credit card details on the software to register it.

Clean Win 7 Anti-Virus 2011

– When run Task Manager, a fake Microsoft Security Essentials Alert window opens. If click the Scan Online button, computer restarts and runs CleanThis, World’s leading security solution. There is no way to get back in Windows even in Safe Mode because CleanThis runs automatically before explorer and disabling Windows Task Manager (CTRL+Shift+Esc). The only way to clean this up is by using Antivirus Rescue Disk, preferably Avira or Kaspersky.

– Connections being made secretly to Yahoo SMTP, AOL SMTP, Gmail SMTP, GMX SMTP, Ukraine IP, UK IP.

The older attachments are already detected by most antivirus but as for the latest one which I’ve just received, only 18 out of 41 antivirus detects it as trojan. Some of the famous antivirus brand such as Avast, AVG, Comodo, Panda and F-Secure missed it. I believe the person who created this is not going to stop any time soon because I can see that every newer version has improved infection logic and typing errors (typo) corrected. Antivirus is not going to fully protect your computer if you’re one of the earlier person to receive the newer version of malware. You can either immediately delete the email or simply submit the sample to antivirus computer. Most antivirus has a built-in feature to directly upload the suspicious file to the analyst.

36 Comments - Write a Comment

  1. Jo caasdcsc 5 years ago
  2. MHCOMPSERV 6 years ago
  3. Joebert 6 years ago
  4. niio 6 years ago
  5. Nagasai 6 years ago
  6. Michael 6 years ago
  7. saaf 6 years ago
  8. wikus 6 years ago
  9. Loid 6 years ago
  10. ray 6 years ago
  11. TeXaco 6 years ago
  12. kweeny 6 years ago
  13. Alexandre Marcondes Machado 6 years ago
  14. MRohaizad 6 years ago
  15. eddi88 6 years ago
  16. Daniel Woolnough 6 years ago
  17. LT 6 years ago
  18. Ahmad 6 years ago
  19. Yoseph Santoz 6 years ago
  20. saranjeet 6 years ago
  21. Zapped Sparky 6 years ago
  22. Yoppy 6 years ago
  23. Saed 6 years ago
  24. Thicky 6 years ago
  25. Praveen Pious 6 years ago
  26. Bojazz 6 years ago
  27. Merlin_Magii 6 years ago
  28. ding-dong 6 years ago
  29. Dolphy 6 years ago
  30. offworld 6 years ago
  31. Jonathan 6 years ago
  32. kees 6 years ago
  33. andysaedah 6 years ago
  34. Zimbo 6 years ago
  35. wombat 6 years ago
  36. billy13 6 years ago

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Your comment is subject to approval. Read our Terms of Use. If you are seeking additional information on this article, please ask in our forum or contact us directly.