United Parcel Service notification
X-Apparently-To: x via 18.104.22.168; Sun, 08 May 2011 06:29:45 +0000
Received-SPF: none (mta1035.mail.ird.yahoo.com: domain of firstname.lastname@example.org does not designate permitted sender hosts)
Authentication-Results: mta1035.mail.ird.yahoo.com from=ups.com; domainkeys=neutral (no sig); from=ups.com;
dkim=neutral (no sig)
Received: from 127.0.0.1 (HELO ups.com) (22.214.171.124)
by mta1035.mail.ird.yahoo.com with SMTP; Sun, 08 May 2011 06:29:45 +0000
Received: from group21.345mail.com [126.96.36.199] by smtp4.cyberemailings.com with LOCAL; Sun, 08 May 2011 07:26:50
Received: from [188.8.131.52] by mxs.perenter.com with LOCAL; Sun, 08 May 2011 07:10:45 +0100
Received: from mts.locks.grgtween.net [184.108.40.206] by mmx09.tilkbans.com with QMQP; Sun, 08 May 2011 06:56:57 +0100
Received: from relay.2yahoo.com [220.127.116.11] by snmp.otwaloow.com with LOCAL; Sun, 08 May 2011 06:45:18 +0100
Date: Sun, 08 May 2011 06:45:18 +0100
Reply-To: "UPS" <email@example.com>
From: "UPS" <firstname.lastname@example.org>
User-Agent: Mozilla 4.78 [en] (Win98; U)
Subject: United Parcel Service notification
tracking number # 7428528
The parcel was sent your home adress.
And it will arrive within 5 buisness d
UPS Express Delivery system (c)
The e-mail refers to an attachment named 'document.zip'. This zip file contains an executable file (document.exe) infected with a Trojan Downloader, classified as Trojan-Downloader.Win32.Deliver.m. So opening this file will NOT give you the promised tracking number, but a Trojan Downloader, that steals confidential user information, instead.
Take note of the formatting applied to some of the letters (bold, italics, strikethrough and even varying text colours). We believe this is likely done to bypass the spam filters, by breaking up common spam trigger words, using normal HTML markup.
These e-mails are quite common these days and each one we've analysed so far has the same M.O. namely a notification that a parcel was sent to your home address. To obtain the tracking number you need to open an attachment that's infected with some form of malicious software. We believe that the success rate of these malware spam e-mails are quite high, otherwise the malware spammers would have changed their tactics by now.
To prevent infection from e-mails like these, stick to this simple rule of thumb, never open executable files (files with an '.exe' extension) sent to you via e-mail (unless you of course explicitly requested a specific executable file from a trustworthy source). Remember, with an e-mail like this, there is no need to embed or hide the tracking number in an attachment. The courier can include the tracking number in the body of the e-mail.
Related Cyber Criminal Profiles:No related profiles found.
Similar Spam Examples:Parcel Delivery Malware Spam - DHL delivery failure report
Parcel Delivery Malware Spam - FedEx Delivery Problem No 7189
University Degree Scam - Bay your Professional and Doctoral diploma today
Parcel Delivery Malware Spam - UPS Shipping service report Q76WQCOQBV
Malware Spam - UPS Delivery Notification Tracking Number:APHQUV26F29IG4UFOZ
Related Malware Samples:UPS document.exe - Trojan.horse.Dropper.Generic7.ASR
document.exe - Trojan.horse.Cryptic.CUR
document.exe - Trojan.horse.Cryptic.CRY
IRS document.exe - Trojan.horse.Generic23.QUD
United Parcel Service document.exe - Trojan.horse.Generic3_c.BKKC
FedEx Document.exe - Win32.DH.FF8200FE.O1BPFVEcUzQKICVXTg
FedEx document.exe - Win32.DH.FF83001A.MztQTxVRHFM0CiAlV04
DHL Document.exe - Luhe.Fiha.A