Outbreak: United Parcel Service notification malware attack spammed out

Filed Under: Malware, Spam

Cybercriminals are attempting to infect computers around the world, disguising their attack as an email claiming to come from United Parcel Service about a parcel delivery.

But this time they're not using words, they're using an embedded image to trick you into clicking on the link.

Here's what a typical malicious email being used in this malware campaign looks like:

United Parcel Service notification malicious email

Subject: United Parcel Service notification #<random number>

Attached file: USPS_Document.zip

Message body:
Dear customer.

The parcel was sent to your home address.
And it will arrive within 3 business days.

More information and the tracking number are attached in the document below.

Thank you.
United Parcel Service.

Copyright (c) 1994-2011 United Parcel Service of America, Inc. All rights reserved.

As you can see - it looks pretty professional. Which may well fool more people into believing it is genuine.

What's interesting is that there is no actual text inside the email's message body, instead it consists solely of an image - presumably with the intention of attempting to slip past the more rudimentary anti-spam filters.

Attached to the email is a file called USPS_Document.zip, which contains the malware attack. Sophos detects the ZIP file proactively as Mal/BredoZp-B and the enclosed file as the Troj/Agent-QGH Trojan horse.

The malware is only capable of infecting computers running Windows.

If you are one of the many people seeing this malware attack in your email this morning, please do not click on the attachment even if you are waiting for a package to be delivered. Instead, simply delete the email and your computer will be safe.

This latest attack follows hard on the heels of another widespread assault on users' inboxes which began to strike earlier this week, posing as a message from Post Express Service.

, , , ,

You might like

79 Responses to Outbreak: United Parcel Service notification malware attack spammed out

  1. Odean Hoss · 1357 days ago

    And no recommendations for those folks that have, or know someone that has clicked on this link BEFORE reading your post? I would think you could provide some help in this regard, other than just an adviso to "simply delete the e-mail.....". I wouldn't have an issue with this thanks to my system preventing it, but there are those that could use some help. (Might even create some clicks for you) ;-)

    Just a thought. Thanks.

    • Glad to hear that you didn't have any problems with it.

      If anyone did make the mistake of opening and running the malware then they should see if their anti-virus software can help them out of the hole. If it struggles to sort them out then that's the right time to call your anti-virus vendor's tech support line. After all, that's what you pay 'em for, right? :)

      • Odean Hoss · 1357 days ago

        Hi Graham, and thanks for the reply. I would guess you're right, IF I paid for my anti-virus. As I use MSE, I don't pay for it. And it works wonderfully for me and my set-up. However, my original point, aside that, is that IF it got through, the article doesn't mention what one would do in that case.

        I just like seeing the "what-ifs" in those situations, because when I share these nasty little stories on my Facebook wall, I don't want to have people asking me extra questions about them. So, I guess it boils down to, I'd rather have YOU type out what should be done, rather than ME have to do it! LOL Sorry. But thanks again. :-D

    • AntC · 1310 days ago

      Hi

      I just got 2 of these emails in my yahoo email account , however my the attached file is called upsnotify.rar.

  2. why do people do this, what is there to gain from destroying other peoples computers. is it personal information, is it money, or is it just because they like to see people scrim. this is just not right.

    • farmerjim · 1352 days ago

      In the last 24hrs, have received four email msgs with "United Parcel Service notification" plus a notification # as the msg subject. Each had a different notification #, each contains a file titled "(USPS_Document.zip) 30 KB " note all were of the same size and also note the USPS label, not UPS as given in subject. These are two different organizations. What's the implication? Where, who do I refer these to help in identifying the attachment as a problem, whether each are the same or not and its various promoters? Anyone else keeping track of these, the apparent sources or the notification #'s? Thanks.

  3. Paul · 1336 days ago

    Hi,

    I got that email, and DID click on the email to open up the message, but I DID NOT click on the attachment. Do I have any reason to be concerned?

  4. Bryan · 1336 days ago

    I stupidly opened it, but I have a Mac. Do I have anything to worry about out? And if so, what can I do?

  5. Donny · 1330 days ago

    Hi, i clicked on the zip file in the email. Once it was downloaded, my spiders sensors went so I didn't open the downloaded file. It has been deleted now, but am I in danger.

    Currently virus protection is very old. thanks

  6. JJM · 1326 days ago

    hi i also received this email but unfortunately i am expecting a package so i downloaded it and i open it now i can't use my laptop for having that malware any advice folks? i cant open any software in my laptop ,it advice that i need to buy their protection arrghh im so stupid

    • Laurie · 1306 days ago

      Im surprised your virus protection didnt pick it up! I too am expecting a package and stupidly clicked on the link. My virus program took care of it immediaiately. Computer is fine.. Im sorry =( that sucks

      • Jag · 1301 days ago

        Please tell me which virus program you have that successfully protected you. I have AVG & it did not protect me.

    • Binh · 1305 days ago

      I would check malwarebytes website to see if they have any solutions. You can go through the suggested steps to remove. But for me personally, I would do a reformat because I get extremely paranoid.

    • David Tan · 1302 days ago

      I went through the same predicament and was unable to open applications including the anti-virus software. The malware also alters your desktop.

      What fixed the problem for me was going into safe mode then restoring the system and choosing a restore point earlier than the date I opened the attachment.

      Hope it works for you too...

  7. khscottieboy · 1311 days ago

    I got this email today, and was not aware of this virus threat. I only opened the email, but not the file. I receive a UPS package this morning, and I thought it was telling me it arrived. Glad I ignored the attached file.

    • Victor · 1302 days ago

      So this is interesting: I also have been expecting some shipping from Costco and have been email them back and forth about it. As soon as they announced the item was shipped, I received this notification... Almost the same thing happened about 6 months ago...

  8. Gemz · 1311 days ago

    lol, I just got this email and was badly fooled, I really thought the pdf was a real pdf until I realized its an application but it was too late, the virus a.k.a system tools spammed my computer of fake anti-virus forcing me to download their fake product for a fake infections, until such time these tools (rkill and mbam) killed these virus neatly, and I arrived to this post late lol, anyway lesson learn, try searching over the net and check the legitimacy of the mail.

  9. Rose · 1310 days ago

    I did open the email because I was expect a UPS package. I clicked on the attachment and my computer got infected.

    Could not open any application after that....anti-virus will not work.

    I shut down the computer and followed the following:

    see link - http://support.microsoft.com/kb/304449

    How to start System Restore by using the Command prompt

    Important If you have not previously set a restore point in System Restore, you cannot restore your computer to a previous state. If you are not sure, or if you have not previously set a restore point, contact Support.

    To start System Restore using the Command prompt, follow these steps:
    Restart your computer, and then press and hold F8 during the initial startup to start your computer in safe mode with a Command prompt.

    Use the arrow keys to select the Safe mode with a Command prompt option.
    If you are prompted to select an operating system, use the arrow keys to select the appropriate operating system for your computer, and then press ENTER.

    Log on as an administrator or with an account that has administrator credentials.
    At the command prompt, type %systemroot%system32
    estore
    strui.exe, and then press ENTER.

    Follow the instructions that appear on the screen to restore your computer to a functional state.

    .......this worked for me ref: http://support.microsoft.com/kb/304449

  10. the dealmaster · 1310 days ago

    First, I would recommend downloading malwarebytes. It is a great product and has saved my bacon before.. If you are already infected disconnect from the internet and use another computer to download to a thumb drive and try running it from that. If that fixes it, then go back online.
    But the best thing always is maintaining awareness: if the grammar is hinky, spelling and punctuation is bad, those are BIG red flags. Furthermore, in this particular case you have to think how "they" got your email address. In my experience I don't ever recall providing my addy for shipping updates. Usually a tracking number is provided from whatever site I buy from and I track the package myself. I have never gotten updates unsolicited.

    Once again, always look for bad grammar. This is the email I just got minutes ago and that is what prompted me to google "United Parcel Service notification" and got here.
    ==============================================
    Dear customer.

    The parcel was sent your home address. (<=== huh??)
    And it will arrive within 7 business day. (<=== not days??)

    More information and the tracking number are attached in document below.

    Thank you.
    � 1994-2011 United Parcel Service of America, Inc.
    ==============================================

    (my note.......as it happens the attachment is a rar (zip) file
    Reply to:"United Parcel Service" <infojs@ups.com>
    UPSnotify.rar (5.7 KB) Download | Remove
    plus, the return email address looks legit but that's easy to fake)

  11. Amber · 1309 days ago

    I opened the file and was in the process of downloading but didn't run the file? Will my computer be ok?

  12. Emily · 1309 days ago

    I received this, and opened it because I was expecting a package. It crashed my computer and destroyed my nortons?!?!?!?! What a pain! I am still receiving these emails constantly also.

  13. Miranda · 1309 days ago

    I just received this! opened the e-mail, though it looked suspicious so didn't open the attachment and googled it ... to see that yes it is a scam, virus , thing! Phew!

  14. Pao · 1309 days ago

    If you notice the file after u download it, its very malicious so i didnt open it . more like a virus to me.. I received tons of that.. Just ignore it.

  15. Brad · 1309 days ago

    Any way to fix this after you made the unfortunate mistake of opening the email and getting the computer infected?

    thumbdrives don't work. can't download any anti-spywares. anybody have any luck?

  16. pet · 1309 days ago

    Received the email an hour ago.Thanks to my computer that is protected.Otherwise I could be regretting.

  17. Barb Sproveri · 1309 days ago

    I received it both at work and at home. my attached said it was UPSnotify(rar). I didn't open the attachement and we have Norton on both systems so we are okay.

  18. mare09 · 1309 days ago

    follow the directions above for using your computer on safe mode, then download Malware bytes (free) from another pc and run it, that takes care of it. good luck

  19. McAfee saved my cpu. It told me that the email had a virus and it would not download it.

  20. Pete · 1308 days ago

    I use avast, and it neatly prevented any downloading of the file. Neat!

  21. Kamoe · 1307 days ago

    I received a similar UPS message in my email yesterday, and luckily I knew not to open it. What gets me though is that I rarely order anything online, and the very day after I did, a spam UPS message shows up.

    Is it just a coincidence, or is there something happening to generate a spam message from an actual order? Certainly makes me wonder!!

  22. maytham · 1307 days ago

    i received an email that there is a barcel sending to me .
    i downloaded it but it is not opened .i dont know if there is a risk on my computer
    thank you

  23. mpg · 1307 days ago

    my free Avast scanner found nothing and i did click on it. this Malwarebytes found 2 infections so far, so its better.

  24. mpg · 1307 days ago

    i take that back... my Avast was in silent/gaming mode... it DID find 20 infections which i found in the vault.

  25. guest · 1307 days ago

    I have been getting this in my spam folder for weeks now, up to 5 or 6 in a day... just keep deleting

  26. bkmurthy · 1307 days ago

    My computer (WINXP-SP3) got infected after I clicked the application. Avast free could not detect it. I downloaded SUPERAntiSpyware on a USB drive using another computer and installed it. It was able to remove the infection.

  27. buddyraymundo · 1307 days ago

    SOLUTION TO THIS PROBLEM: Hey guys! today I have received same email and yes I opened the zip folder and very stupid of me I also opened the PDF file inside, suddenly I received virus notification in my monitor being scanned by "VISTA HOME SECURITY" and asking me purchase on line in order to remove the virus. This Vista Home Security is the true virus intended to get the information about your credit card. What I did is use another computer to download Malwarebytes and rename it with other name in order for the virus not to recognize and block it, then I restarted my affected computer then during the opening stage Ive press Ctrl Alt Del to open the task manager. Insert the USB with the renamed malwarebytes and click the end process for the Vista Home Security each time it Autorun and block the installation of Malwarebytes. Run the malwarebytes and delete all affected files then everything will be ok!!!

  28. Mindy H. · 1307 days ago

    I got that email this morning. My husband is deployed and I initially thought he had ordered something online and sent it home because he couldn't get it at an APO address. Luckily I googled it first. Most tracking e-mails have the information right there in text, not an attachment.

  29. None · 1306 days ago

    I dont see why the person who posted this information in the first place blocked out the email it came from!!!!
    Trying to protect the idiots? At least if the original email was posted we could give them a taste of their own medicine and spam the back......or......reply and say in the body - "I've attached my social security number and bank information - please open...LOL

    I NEVER open emails from those I do not know and ALWAYS block them. Yahoo mail has crappy SPAM features...but hey - guess you get what you pay for (free).

    Sign me,
    Not so gullible

    • Helper · 1227 days ago

      I always send the Nigerian scammers and identity thiefs the name and phone numbers to the secret service personnel which deals with such scams. *LOL*

  30. Ragu · 1306 days ago

    I too received the mail and downloaded the RAR and trying to see the contents, but Kaspersky Antivirus warned me in several stages, then finally I didn't open and simply I deleted.

  31. guest · 1306 days ago

    I was expecting a parcel but i must have been asleep as i opened the first one. Luckily i have Comodo on my system and it stopped it dead. "A" i did not see it was an exe file and "B" the email was not even addressed to me. Yahoo have been sending me emails addressed to other people for some time now!!. I had a look at it on my Linux system it can't do any harm there. I Googled ups and came up here so now i know what's going on.

  32. Guest · 1305 days ago

    I have received this email twice now in the last few weeks. I'm in Australia and I knew I hadn't ordered any over seas products so found this quite strange. So when I got the second one I was curious to open it but decided to do a search first..thankyou SOPHOS!

  33. Chris · 1305 days ago

    Just got this email. People should be more aware :)

    I saw that this email was sent to me and a bunch of other people, now why would they send tracking info to 30 people? :/

  34. Abigail · 1305 days ago

    I received this same message this morning. I clicked it the attachment since I'm curious about it not knowing that its a virus. Fortunately, my virus scanner is still working and it prevented the virus from infecting my computer.

    I checked my spam folder and saw the same message again and tried to search for this message on google....

  35. Sylvia · 1305 days ago

    I just received this email; I am from the Netherlands! I am really glad that i 'googled' the note 'United Parcel Service Notification' and was warned. Thank you!
    By the way: there was no picture in the mail, but al those others things where the same. Watch out!

  36. omiroshn · 1305 days ago

    I got this email today 3/28 and I just received a UPS package maybe a day before that. My first thought was that it was a "delayed" notification about my package, but it kind of looked suspicious to me. So I googled "united parcel service notification" and saw a link to this thread right away. Thank you for posting! I may not be aware of an issue, but I always "google" before I proceed.
    Thank you!

  37. John H · 1304 days ago

    I`ve just received this email and being the suspicious person that I am alarm bells rang right away. I instantly deleted it, not only because it did not look right. But because I never use this courier. I only ever use one courier (which will remain nameless).
    It`s not rocket science...........if you do not recognise or suspect the email is malware, don`t open it. Instead, do a google and check out the sender.

  38. matutina · 1304 days ago

    Thanks for this post! Everyday I receive that email from United Parcel and I knew that it has a virus attachment. In the first place why would they send me a notification when I'm not expecting a parcel.

  39. Guest · 1304 days ago

    I just received the e-mail this morning. I knew something was wierd immediately, since I have never had to open an attachment to view a tracking # before. Plus, I was not expecting any packages. I always save attachments to my computer before I open them, which I did with this one. Something kept telling me not to open the zip file. I kept asking myself "Why would UPS send a zip file just to view a tracking #"??? I checked this website, and found out it was a virus. I then immediately deleted the file, and e-mail. So far no problems! Thanks for the info, and saving me a major headache!!!

  40. Kristy · 1304 days ago

    I personally did order something off a website, and I got an email from UPS notifying me my package is coming. I didnt' click on the image because I trusted the UPS to deliver my item and they did a few days later. Though, I can't remember if UPS did deliver or if it was just ground mail through USPS. Anyway, then I got two more emails. I know I ordered just one item, so I wasn't expecting anything else. I Googled and found this page.

    I found it interesting that many other people also got the emails after ordering something online. Makes me think perhaps the servers where we ordered something were hit with the virus. So, we all should contact the sellers and let them know.

    • Paul Ducklin · 1303 days ago

      In this case, the most likely reason you got the scam emails after ordering something is coincidence - the scammers send out so many emails that they're bound to get lucky some of the time. (Don't forget that most people who receive this stuff _haven't_ ordered something.)

      I discuss this in the following video: http://nakedsecurity.sophos.com/2011/03/11/malwar...

  41. marios · 1303 days ago

    as soon as i saw the email i just googled the subject. Top result brought me here.
    seriously ups wouldn't contact you like that, i mean with an attachment.

    mine had a typo as well:p
    "The parcel was sent your home address."

  42. julie Dean. uk . · 1303 days ago

    just had it too ,what a stupid thing to do .haven't opened it though thank goodness.

  43. schum · 1303 days ago

    i have received this email. thankfully my anti-virus in yahoo mail told me that the mail contains a virus. wew!

  44. Undertuned · 1303 days ago

    You gotta love Gmail :-) I got this mail instead:

    Gmail Team
    to me

    show details 1:19 PM (3 hours ago)

    The message "United Parcel Service notification 98886" from United Parcel Service (upder3@ups.com) contained a virus or a suspicious attachment. It was therefore not fetched from your account xxx@xxx.xxx and has been left on the server.

    If you wish to write to United, just hit reply and send United a message.

    Thanks,

    The Gmail Team

  45. Guest · 1302 days ago

    Yo he recibido el mensaje 2 veces, con diferentes fechas de entrega (primero 1 semana y después 3 días). Naturalmente, lo tenía en cuarentena por si acaso. Muy útil esta información en la web.

  46. Claire · 1302 days ago

    I received this email and absentmindedly clicked on it, thinking it was about the package I am expecting this week. I didn't stop to think until I clicked download, but suspicion hit me before I unzipped the file. I'm still going to run a scan, do I need to worry if I never unzipped it?

  47. arron · 1302 days ago

    i just got one and i will let you know now if you have google chrome web browser then it will not let you download the .zip file

  48. Marvin91 · 1301 days ago

    I also receive that email. I try to download it TWICE n , thank God My antivirus told me that there's unknown virus in it. Then I searched what is United Parcel in google, I found this link very helpful. ANyway, thanks a lot.. Peace

  49. i also got the email. thank God i didnt click on it .

  50. nik · 1300 days ago

    i also got the email thank god you guys are here!! i thought i scored a free package!!!...lucky i looked it up on the net ..gotta love the net..thanks..people..

  51. alex · 1299 days ago

    I also got the same mail several times, but i saw in attachment an autoexe zip file, so I just deleted it. Nobody get your home address . they can just say we have an package for you but we dont had your address until now ????? so we will send to you a zip file?????????????? to let you know.
    But I was curious about what UPS is, and found you.
    thanks guys

    so watch out the topic , its the best antivirus protection

  52. Diane Morissette · 1296 days ago

    I received 5 emails on the 30th and 31st of last month from UPS, same trial...

    A 6th one was sent from DHL, today, the 5th of april.

  53. guest · 1294 days ago

    Received it in a barely used email account. Only used lately for emails to 'Fedex' and 'buydig'. Received within days of ordering online!

  54. Sebastian Onuzulike · 1284 days ago

    I got United Parcel Service Notification No.#677537741 but the Parcel was not delivered, i try to track down the parcel all prove abortive. is it real?

    Thanks

  55. i got mine today but the attachment is named "document.exe" which is quite obvious and i checked the ups.com site and entered the tracking number and it showed nothing, even the tracking number format is different.

  56. Deb · 1243 days ago

    I was expecting a package, and it being late I fell for it. Arrrg! Does it affect an Android?

  57. Mike L. · 1241 days ago

    There is also one for Fed Ex, too. So be weary! Simple rule of thumb...if it's in your Spam file don't open it! Be safe!

  58. Noel · 1227 days ago

    I opened the attachment, what would I expect to happen?

  59. somebody · 1227 days ago

    i received it today morning,i am belgian but i wait parcel from uk,well my antivirus worn me about trojan horse...i switched off the antivirus i believed it is a false positive...now i am facing:boot sector problem virus on c/prgramdata and spyware and adwarere.the windows notifed me:bootsector problem ,please restart the computer.my friend told me:do not restart!!!run the antivirus computer scan and delete the email from the trash too.

  60. ellie · 1223 days ago

    I received this email too...funnily enough to my email address that is connected to my service provider...I NEVER use this email address, not for ANYTHING, so how does this email address get into the hands of rogues????? :/

  61. Heather · 1223 days ago

    Yes I have received messages from UPS and DHL as I had not ordered anything or expecting a parcel I did not open it. Some of the emails entered my spam box but others my email account. Just keep on deleting

  62. Helen · 1215 days ago

    Got this email this week. Was expecting an international parcel. Did open attachment. Good Norton protection saved the day. First of this type of email I've had. Was unaware of how these viruses operate. Will check more carefully in future.

  63. Salk · 1209 days ago

    Thanks Graham/Sophos
    I got the email and opened it because I had parcels on the way. But is was so non-specific I thought I'd google before clicking the link - and found your information.

  64. Pat Lyonresh · 894 days ago

    Here is the text of a message which I have not yet deided is genuine or not- I have changed I have changed the parcel number to potect me if it is genuine;-
    -----------------------------------------------------
    THIS IS THE ATTACHMENT TEXT HERE =

    Label_Parcel_USPS_782-N145.zip

    (Then follows the text of the Email as below)

    Notification,

    We couldn’t deliver your parcel at your address.
    Reason denyAn error at the delivery address.

    LOCATION:Santa Ana Notification,

    We couldn’t deliver your parcel at your address.
    Reason denyAn error at the delivery address.

    LOCATION:Santa Ana
    DELIVERY STATUS: sort order
    SERVICE: Expedited Shipping
    ITEM NUMBER:U87529293NU
    INSURANCE: Yes

    Label is enclosed to the letter.
    Print a label and show it at your post office.

    Important information!
    If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it's keeping in the amount of $21.75 for each day of keeping of it.

    You can find the information about the procedure and conditions of parcels keeping in the nearest office.

    Thank you for attention.
    USPS Global Mail.arcel number so
    DELIVERY STATUS: sort order
    SERVICE: Expedited Shipping
    ITEM NUMBER:U87529293NU
    INSURANCE: Yes

    Label is enclosed to the letter.
    Print a label and show it at your post office.

    Important information!
    If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it's keeping in the amount of $21.75 for each day of keeping of it.

    You can find the information about the procedure and conditions of parcels keeping in the nearest office.

    Thank you for attention.
    USPS Global Mail.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.