Outbreak: Fake Fedex Tracking Number emails carry malware

Filed Under: Malware, Spam

Cybercriminals have spammed out a widespread email attack, distributing malware in messages pretending to come from Fedex.

The emails, which have subject lines beginning "Fedex Tracking number" followed by a random reference number, pretend to come from named personnel inside "Fedex Support" and claim that the company was unable to deliver a package on the 27th of July.

Malicious email, pretending to come from Fedex

Other emails being sent in the attack use a subject line of "Fedex Invoice copy" and "Fedex Item Status", both followed by a random reference number.

Unlike many of the other Fedex-related malware attacks we have seen in the past, the emails carry the message about the failed delivery in the form of an image rather than text - possibly in an attempt to try and defeat more rudimentary anti-spam filters.

Attached to the emails is a file called

FEDEXInvoiceEE<random number>OP.zip

which Sophos detects as Troj/Invo-Zip. Inside the file is a Trojan horse called Troj/Mdrop-CVP, capable of infecting Windows computers.

A quick glance in a sample of our spam traps reveals just how many messages we are intercepting in a matter of minutes:

Malicious Fedex-related emails

Of course, Fedex has no connection with this malware campaign, beyond having its brandname tarnished by the hacking gang.

Make sure that you, your friends and your colleagues are wise to scams like this - and don't make the mistake of clicking on suspicious attachments.

You might like

20 Responses to Outbreak: Fake Fedex Tracking Number emails carry malware

  1. Mensch · 671 days ago

    Exactly this has resmed as of December 22, 2012 , in the USA.

    Thanks for the post.

  2. stacey · 659 days ago

    These are still going around. Got one of these today. January 3, 2013.

  3. I get a kick out of people on various sites saying 'how did they know I was expecting a package?'. It's like come on dummy, they sent out millions of these so I'm sure there were 1000's of people expecting at that time. LOL One person even said 'I'm an experienced user so I knew it was possibly a fake but then i accidentally clicked on it and I got infected. hahahaha People kill me.

  4. Finky · 654 days ago

    Got one today, 1/9/2013. I suspected it was not actually from FedEx as scam claimed my package arrived at "the post office". FedEx does not deliver to the post office. The scam also instructed me to "go to the nearest office and show this receipt". Luckily, I figured it'd be a bad idea to click on the "GET & PRINT RECEIPT" box. I'd been shopping online quite a but over the past month so I almost fell for it.

  5. Thomas · 648 days ago

    Yep, just got one as well on 1/15/13. The odd thing is there are no attachments or active links in my message.

  6. June · 647 days ago

    I received one today.

    Fed Ex

    Order: JN-3474-96336700
    Order Date: Thursday, 3 January 2013, 11:23 AM

    Dear Customer,

    Your parcel has arrived at the post office at January 6.Our courier was unable to deliver the parcel to you.

    To receive your parcel, please, go to the nearest office and show this receipt.

    GET & PRINT RECEIPT

    Best Regards, The FedEx Team.

  7. G00dman · 642 days ago

    Thanks for the information. I've just had the same message as June

  8. kmccoy7 · 640 days ago

    Here is my version (received today)

    Subject: Tracking Number (N)GHF30 360 360 8657 8657

    Priority: Normal Date: Wednesday, January 23, 2013 12:40 PM Size: 9 KB

    Fed Ex

    Order: SGH-6578-23967015
    Order Date: Thursday, 17 January 2013, 11:10 AM
    Dear Customer,

    Your parcel has arrived at the post office at January 21.Our courier was unable to deliver the parcel to you.

    To receive your parcel, please, go to the nearest office and show this receipt.

    GET & PRINT RECEIPT

    Best Regards, The FedEx Team.

  9. Don · 639 days ago

    Got the following today (1/23/13)

    From: Postal Service <AVW.084@elpaso.com>

    Subject: ID (x)XXX XXX XXXX XXXX
    *+++
    Fed Ex
    Order: SGH-xxxx-xxxxxxxx
    Order Date: Thursday, 17 January 2013, 11:10 AM
    Dear Customer,

    Your parcel has arrived at the post office at January 21.Our courier was unable to deliver the parcel to you.

    To receive your parcel, please, go to the nearest office and show this receipt.

    GET & PRINT RECEIPT

    Best Regards, The FedEx Team.

    Looks phony, but where would I go to check with Fedex...both numbers don't tra k, so probably a scam.

  10. InNZ · 634 days ago

    I got one yesterday and opened it! I know better but now live outside of the US and am expecting something (not sure what shipping method will be used) so fell for it. It isn't unusual to have to go to the post office to get a package, have done that before, but should have known better with FedEx. I did call them to verify that it is a scam. Good news is that I have a Mac -- am I protected or unknowingly spreading this virus. Can anyone tell me what the virus does once opened?

    Thank you!

  11. christine · 620 days ago

    i got two today but i was suspicious so i went and seek this posts.. thanks

    • Don · 615 days ago

      I got one today and opened the PRINT RECEIPT block on it because I was expecting a package via FedEx. I have Norton anti-virus protection on my PC and it neutralized it. I should have been more suspicious of the email since it said I was not home on Februaroy 14 at 06:30 PM when they Fed-Ex tried to deliver it.
      I was not aware that Fed-Ex was being used for this purpose.

      I also have been noticing that I am receiving all kinds of fake message wanting information from me. Those attempts ramped up a lot after I joined Facebook.

      Hope this information helps you

  12. mary detloff · 606 days ago

    I just got one of these today and i did print it and was going to go to the fedex office tomorrow wow..because i did have a package that could not be delivered but it was through the post office. thanks for the info....

  13. Vincent Canna · 601 days ago

    OK, so I did receive one of these today and unfortunately I did open it. I've been expecting several deliveries and "assumed" this was legitimate. Anybody know what happens now? What benefit does the scammers derive from doing this? What can be done to avoid adverse affects?

  14. FCS · 598 days ago

    The first dead give away is that all the e mails lacks information, like my first and last name, addressing me only as "Dear Client". There is no mention of what company had sent the package. My spam protection automatically sends this stuff to the trash, but I check it every so often and found more than one notice waiting to explode on me...

  15. chris52 · 585 days ago

    My wife got 2 of these today. FORTUNATELY, we do not have a printer so just went on the fed ex website and typed in the number. No package was recorded under this number, so we googled it and found this. What exactly happens if this link is opened.

  16. Wendie · 583 days ago

    I received one of these in my email today. I did not open the attachment because I knew I was not expecting anything by Fedex. What I understand it's malware and donot open these, delete!

  17. Andi · 573 days ago

    Got one today 3/31/13 Did not open ..... it's all fake, don't fall for it.

  18. Anonymous · 314 days ago

    thank you. I just had it 3 three emails from Fake FedEx this week in December 2013

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.