Not Fedex - Malware attack; Spamming with fake receipt

Written by Bob "Wiz" Feinberg - Wiz's Blog

I want to alert my readers to a spam run I saw over the last couple of days and also explain what the purpose of the scam really is. This is a new variation of a long-running scam spoofing both your Post Office and a major brand courier service, leading directly to a malware attack.

This particular variant may well become the template for ongoing spam campaigns, if the success rate is high enough. Right now, 'tis the season to receive gifts and the bait in this email scam may well trap a lot of eager folks who just may be waiting for a promised delivery of a present or online purchase.

It starts with a message claiming to be from either "Worldwide Express Mail," or "Shipping Service," or "Postal Service," with an incomprehensible "tracking" or ID number as the subject. Most have this body text, or something almost the same as this:

Your parcel has arrived at the post office at December 20.Our courier
was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show
this receipt.

DOWNLOAD POSTAL RECEIPT

Best Regards, The FedEx Team.

Here is where wisdom and suspicion are your best friends. The message text contains horrible grammar, and both a reference to a "POSTAL RECEIPT" and to "FedEx." I hope that most of you are aware that FedEx is a courier service and is NOT associated with the "Postal Service," nor do they issue "Postal Receipts." You Country's official Postal Service does that. Yet, almost every email courier scam I have seen over the last year confuses at least two, if not three services: the US Postal Service (USPS), FedEx (a private company) and UPS (United Parcel Service).

If you receive one of these failed delivery scams and you see any sign of confusion about who was supposedly delivering the package, usually accompanied by bad grammar and sentence structure, delete it immediately.

So, if this is a scam, what is the payload and what is its purpose?

In some of the courier scams you are presented with an attachment (attached file). In others you are given a clickable link. Both of these methods are used to deliver malicious executables to your computer. But, in these current scams there is a link that downloads what would usually be an attached "Zipfile," which contains a concealed executable with the same name as the Zip file. In the current scam, the carrier file is named: "PostalReceipt.zip" and the unzipped executable payload is named "PostalReceipt.exe."

These files are not hosted by the Post Office, Postal Service, FedEx, or UPS, but are hosted on infected computers. Their job is to present you with a pop-up download box, offering the options to Open/Run or Save the Zip file. The payload is disguised as a printable receipt that one needs to claim their undelivered package, so it is understandable that many unwary people might choose to open or run that file.

What is inside PostalReceipt.zip and PostalReceipt.exe?

The Win32/Kuluoz.B Backdoor Downloader Trojan.

Once activated, this malware silently proceeds to download other malware, such as bank account stealing Trojans, or fake anti-virus, like the current crop of rogues called "Microsoft Antivirus 2013." This malware begins to scan your computer and displays an alarming number of fake detections of bad software, then tries to scam you into paying about a hundred bucks to remove the alleged threats. Other payloads may be a type of malware that locks your PC until you pay a (Police, FBI, etc.) ransom, which they call a "Fine."

If you read this before you encounter one of these scams, you will save yourself the trouble or expense of disinfecting your computers. If you fall for one that delivers a banking Trojan, you may not have any money left in your bank account to pay anybody to disinfect the PC!

These threats morph every few days, or on a weekly basis, as does the file names in the attachments, or at the end of poisoned links. Don't assume that your anti-virus already knows about these new files. It may or may not. It really takes about a day before all of the major anti-malware companies identify these variants and push out definitions to block them. You are the first line of defense! Stay alert now and forever! The bad guys really are out to get us. Chance favors the prepared mind.

If you did click on a poisoned link, you need to disinfect your computer. Here are some options for you to employ:

• Trend Micro Titanium (AntiVirus+, Internet Security, Maximum Security, Premium Security, etc)
• Malwarebytes' Anti-Malware (MBAM)
• Norton 360 all-in-one security
• Microsoft Safety Scanner (download and use offline)
• Trend Micro Housecall online or offline scanner
• Kaspersky Security Scan

Have a safe, virus-free and very Merry Christmas!