DHL Delivery Problem NR.59544
Another day, another example exposing the fragile human security in an organization. Malware writers and spammers greatly depend on disguising their payload as innocent messages or software, which may even pretend to be offering a form of service to the innocent victim. The aim is to make the user perform an action: execute an infected e-mail attachment, click on a link to a compromised web site, or reply to fake unsubscribe notices and the list just goes on and on.
Just recently, I discovered an e-mail in my Inbox claiming to be originating from the DHL Support Services. DHL is a high profile legit international company which offers transport and logistics services. The e-mail also had attached a zip archive containing an executable file. The message of the e-mail states that there was a problem delivering my package due to an undisclosed problem. The message continues by trying to convince me to print the ‘invoice’ attached to the e-mail. The ‘invoice’ being referred to in the message is the executable found in the zip archive.
The e-mail body and attachment claiming to originate from DHL Support Services
As previously stated, the e-mail ended up in my Inbox and my personal antivirus did not detect the attachment as malware. However, I am still very susceptible that the attached file is malware for the following reasons:
- The MIME From domain is listed as dhl-support.com. This domain is registered on an individual from Germany but not on the actual DHL organization.
- I did not have any postal packages which were not delivered.
- The structure, grammar and tone used in the message do not seem to match those that would be used by a commercial company.
- DHL have the facility to track any packages using their website. Why would they send an ‘attachment’ with an email?
Whois information for domain dhl-support.com. Clearly, this domain is not registered for DHL.
In order to confirm this, the zip archive was uploaded to VirusTotal.com for analysis. As at the 23rd September 2009, nearly half of the antivirus engines at VirusTotal did NOT manage to detect the attachment as malware.
Partial results after the analysis by VirusTotal.com
These engines form part of some of the most popular antivirus applications that protect desktops of home and business users and organizations’ servers. It takes time for the antivirus vendor to discover the malware, analyze it and distribute the necessary updates to detect it. This time lapse can prove to be the security hole for an organization or a disaster for the home user. This is why it is important to make use of a product which has multiple different antivirus engines such as GFI MailSecurity.
The antivirus engines that did manage to detect the malware, listed it as yet another variant of the infamous Bredolab Trojan. This Trojan firstly appeared around May and variants have been going around in the form of attachments in spam messages throughout all these months.
DHL and any other transport services organization will never send you an executable via e-mail to run on your desktop for any reason. This is simply an attack on users and organizations alike. The best defense is always education. Although software does protect, as we have seen, it is also prone to failure.
The DHL fakers have come a long way from their use of the company to promote Nigerian scams. This is what they were circulating a year ago:
“We are happy to inform you once again that your parcel that contain ATM CARD worth the sum of $2 million dollars is among the 24 parcels listed which is now in our office and also with your name as the receiver despite that we lost your private residential addresss, which is an indication that you can now re-send your residential address to back to the DHL company where your parcel can be delivered to you without hesitation.” (http://groups.google.com/group/news.admin.net-abuse.sightings/browse_thread/thread/fc8e98785323a282?pli=1)
This isn’t the kind of stuff to fool many people in the English-speaking world.
Spam messages and their payload are always evolving. As you noticed, first there was a simple spam message, then there was a Virus/Trojan attached, and the trend continued with variants of these Viruses. Remember when there was the breakout of image spam? It all started with some Russian criminals doing some spam trial runs. Once these runs were considered successful, literally the whole world was flooded with this spam.
Now what’s next? Spam SMS messages have become quite famous although I think it is quite an expensive operation. VOIP spam messages? Is it a possibility? Has anyone experienced some kind of load of VOIP spam messages? This would be interesting to understand and investigate.
Received a similar but different e mail from DHL “parcel.delivery@dhl.co” indicating their inability to deliver a parcel due to “mistake in address” with a purported “delivery advice” attached to e mail. E Mail referenc was “DHL delivery problem NR 76473. Address on E mail was incorrect but went through aol system. AOL cannot explain why/how message with incorrect address got though. Attempted to open attachment but was not successful. Reported event to aol with Spam Report which mysteriously deleted the entire message from my in box. My spam report to AOL from within AOL mail was returned by AOL Postmaster because of “address failure”
I am not a techie so I do not know if I inadvertently obtained a virus by opening the email, although I do not think I was able to open the attachment. How do I know if I have a problem?
I am also concerned that the incorrectly addressed e mail got though aol to my in box, therefore I have to presume that AOL filters are not protecting me.
Hi Baughmansr, unfortunately this sounds exactly like the scam addressed above. Note that the number after nr is random. Hopefully the attached Trojan didn’t execute correctly but it’s better to be sure. Please note that if nothing happened when you tried to open the attachment it doesn’t mean that the attachment failed. Generally virus / Trojans are silent in their execution, they try to make the victim think that nothing happened when in truth the system would have been infected.
At this stage I would suggest you do a system scan using an antivirus solution. If you do not have an antivirus solution try using a free online scanner such as any one on this list: http://hubpages.com/hub/Top-Free-Online-Virus-Scan
If this was your home pc, some vendors offer a free antivirus solution as well: http://free.avg.com/ww-en/homepage
You might also be interested in the following article: http://www.gfi.com/blog/pc-virus/ which details how to check if your machine is infected or not.
If you need further information do not hesitate to post again.
I have today(29/12/11) received an email from DHL Support with an attachment claiming to be a tracking number relating to a package they were about to deliver
I’ve received two of these in the last few days except from FedEx. They reference a “The package weight exceeds the allowable free-delivery limit.” (That’s the tease)The next sentence says “You have to receive your packagen personally.” (Poor spelling) Also, I noticed the absence of a FedEx trademark symbol. I’ve been told to only read these in the preview window to be completely safe.