Wednesday, March 16, 2011

FedEx notification #85645


You might have read my previous blog post:

This time it's FedEx to be the subject of a new and highly active spam campaign.

I received different emails, all containing a notification I can find more information about my package in attachment. The subject of one of these mails was "FedEx notification #85645"

They all have a different tracking number behind the #, but the content is always the exact same thing:

Dear customer.

The parcel was sent your home address.
And it will arrive within 7 business day.

More information and the tracking number are attached in document below.

Thank you. © FedEx 1995-2011

In all of these spam emails, you will find an attachment, which can be called either
FedEx letter.zip, FedEx notice.zip or document.zip.


Document.exe attached to email


Just like the case for the UPS spam campaign, again an Adobe Acrobat icon to trick you. In fact this "Document" file is not a PDF file, but an executable which can infect your computer.


Document.exe
Result: 15/43 (34.9%)
MD5: 09410950dd80df3083ae87cf839643e2


FedEx notice.exe
Result: 31/43 (72.1%)
MD5: 5fe59b88e60f000c7e437518cc6a6cfe
ThreatExpert


So far the subject of this FedEx may differ from these 3:

FedEx notification #[random number]
FedEx Reminder – Invoice [random number]
FedEx ticket #[random number]



Conclusion

You should never trust an email which has:

- only a URL included in the message
- an attachment that you need to open to view 'information'
- crappy spelling and grammar if there is content in the message
- been sent out to everyone in the sender's address book
- been sent from an unknown sender
- promises you can buy something for a very cheap price
- No subject or strange subjects ( eg.: "0 enjoy yourself" )

Never reply to this kind of email, but delete it immediately without opening it.

If you have (unintentionally) downloaded a program and you are unsure about its intentions, you can always upload it to VirusTotal or other online virus scanners (VirScan, Jotti). Keep in mind that if a file is not detected by any engine, it is not necessarily clean!