Wednesday, March 16, 2011

FedEx notification #85645


You might have read my previous blog post:

This time it's FedEx to be the subject of a new and highly active spam campaign.

I received different emails, all containing a notification I can find more information about my package in attachment. The subject of one of these mails was "FedEx notification #85645"

They all have a different tracking number behind the #, but the content is always the exact same thing:

Dear customer.

The parcel was sent your home address.
And it will arrive within 7 business day.

More information and the tracking number are attached in document below.

Thank you. © FedEx 1995-2011

In all of these spam emails, you will find an attachment, which can be called either
FedEx letter.zip, FedEx notice.zip or document.zip.


Document.exe attached to email


Just like the case for the UPS spam campaign, again an Adobe Acrobat icon to trick you. In fact this "Document" file is not a PDF file, but an executable which can infect your computer.


Document.exe
Result: 15/43 (34.9%)
MD5: 09410950dd80df3083ae87cf839643e2


FedEx notice.exe
Result: 31/43 (72.1%)
MD5: 5fe59b88e60f000c7e437518cc6a6cfe
ThreatExpert


So far the subject of this FedEx may differ from these 3:

FedEx notification #[random number]
FedEx Reminder – Invoice [random number]
FedEx ticket #[random number]



Conclusion

You should never trust an email which has:

- only a URL included in the message
- an attachment that you need to open to view 'information'
- crappy spelling and grammar if there is content in the message
- been sent out to everyone in the sender's address book
- been sent from an unknown sender
- promises you can buy something for a very cheap price
- No subject or strange subjects ( eg.: "0 enjoy yourself" )

Never reply to this kind of email, but delete it immediately without opening it.

If you have (unintentionally) downloaded a program and you are unsure about its intentions, you can always upload it to VirusTotal or other online virus scanners (VirScan, Jotti). Keep in mind that if a file is not detected by any engine, it is not necessarily clean!

22 comments:

  1. Nice article Blaze!

    ReplyDelete
  2. I was dumb and did open this file. My computer is acting up but only on the main user. When I log into another user the computer does not flash that my computer is infected and I can run anti virus programs. On my main user the virus wont even let me open any of the anti virus programs I downloaded. What should I do?

    ReplyDelete
  3. Hi Anonymous,

    Follow this guide to boot your computer into safe mode:
    http://www.bleepingcomputer.com/tutorials/tutorial61.html#intro

    Now download Malwarebytes, update and perform a quick scan. This should do the trick.

    Regards

    ReplyDelete
  4. Google is doing that to sell anti virus software first they infect your computer then they clean it up and you buy their software

    ReplyDelete
  5. It is from Telecomitalia not from Google. They are angry on Skype and Messenger users - loosing a lot of money if you are not talking by phone...

    ReplyDelete
  6. Subject: FedEx notice

    Attachment: FedExpress.zip

    Email Body:
    Dear customer.

    The parcel was sent your home address.
    And it will arrive within 7 business day.

    More information and the tracking number are attached in document below.

    Thank you.
    © FedEx 1995-2011

    I have been receiving the above email for the last couple of days on my Yahoo. It automatically goes into the Spam Mail. The first time I received it, I was almost duped as I was expecting a package through FedEx. What kept me from believing it though was because 1. I gave my work address and 2. It was sent to me and a bunch of other people. For this reason, be careful.

    ReplyDelete
  7. I doubt Telecomitalia or Google are behind these attacks.

    @Anonymous, March 20, 2011 2:19 PM:
    Luckily you did not open the attachment, glad to be of help :) !

    ReplyDelete
  8. I also have this email, i removed it, thank you!!

    ReplyDelete
  9. thank you for your help, I will keep the prevention tips in mind.

    Ben.

    ReplyDelete
  10. Thank you for your information :)

    ReplyDelete
  11. I get 6 or more of these every day.

    ReplyDelete
  12. You're welcome everyone.

    @Anonymous, April 5, 2011 4:33 PM :

    If you want, you can always forward me these emails. You may send them to:
    bartblaze[at]gmail[dot]com

    Cheers.

    ReplyDelete
  13. Late nite and sleepy I got zapped with it. Now I can't get online. what to do to normalize my pc?

    ReplyDelete
  14. Hi Edward,

    Follow this guide to boot your computer into safe mode:
    http://www.bleepingcomputer.com/tutorials/tutorial61.html#intro

    Now download Malwarebytes, update and perform a quick scan. This should do the trick.

    Best Regards

    ReplyDelete
  15. Thanks for your post !

    ReplyDelete
  16. I get one message about every day. In the last three days, I received messages from these ip addresses:

    X-Originating-IP: [89.28.72.101]
    X-Originating-IP: [190.167.72.19]
    X-Originating-IP: [189.54.237.115]

    One of the zip files I checked has an infected exe. Malwarebytes reports it as Trojan.Email.Gen. If you browse the file in Windows Explorer, it will look like a PDF document.

    I'd like to stop these spammers. I tried reporting older messages to the ISP responsible for each originating IP address in the messages, but I still get these messages.

    ReplyDelete
  17. Hi Anonymous,

    Thanks for sharing. Unfortunately, it is not that easy to stop those spammers.

    It also depends on your email-provider. For example, if it's Hotmail, you can click on it and mark as SPAM. This will help in improving the SmartScreen filter.

    Regards.

    ReplyDelete
  18. Domestic shipping used to be simple. Weigh the package, look up the zone, look up the charges, and hand the parcel to the pick up driver.

    ReplyDelete
  19. There's a lot of spam mails coming everyday but i am now much aware not to even open them,worst click anything inside it.I was a victim before of an attachment,it really infect my computer,so be careful in opening spam mails that you don't recognize the sender.That's what i am doing to avoid happening again.

    ReplyDelete
  20. Well this is the first time I've been caught by one of these spam emails. I've just had several genuine emails from FedEX this week regarding a delivery so despite it looking a bit odd I still clicked on the attachment. Next time I'll resist and do some Googling first. Thanks to this blog I'm a bit wiser now. Fortunately the free virus protection I recently installed 'Microsoft Security Essentials' picked up on the dubious attachment and told me it was deleting it.

    ReplyDelete
  21. Hi Anonymous,

    Happy to hear MSE caught upon the attachment.

    In case of doubt, I always advise to send in the attachment to www.virustotal.com to be sure that it does not contain malware.

    ReplyDelete
  22. Good to see such kind of post! I like it

    ReplyDelete