Royal Mail malware attack distributed via email

Filed Under: Featured, Malware, Spam

It's wise to be wary when it comes to unsolicited email, even when the email appears to come from a legitimate organisation.

Today we're warning internet users to be careful not to be tricked into open attachments that have been spammed out, posing as communication from the British Royal Mail.

Malware email. Click for larger version

A typical email reads:

Royal Mail Group Shipment Advisory

The following 1 piece(s) have been sent via Royal Mail on Mon, 20 Aug 2012 15:43:14 +0530, REF# 5646597645

SHIPMENT CONTENTS: Documents

SHIPPER REFERENCE: PLEASE REFER TO ATTACHED FILE

ADDITIONAL MESSAGE FROM SHIPPER: PLEASE REFER TO ATTACHED FILE

Royal Mail Group Ltd 2012. All rights reserved

It should go without saying that the emails are not connected with the real Royal Mail in anyway, despite them appearing to arrive from noreply@royalmail.com and containing the Royal Mail's logo.

The cybercriminals who have distributed the attack are hoping that your curiousity will be piqued, and you will be tempted to open the attached ZIP file in the mistaken belief that a parcel is winging its way to you.

Post box. Image from ShutterstockContained within, however, is not a Royal Mail shipping advisory but a file called royal_mail_shipping.exe, detected by Sophos as the Troj/Backdr-HE Trojan horse.

The technique of disguising a malware attack as an email from a delivery company is nothing new, of course. Many internet users will be aware of the attacks we have seen in the past that have pretended to come from the likes of DHL, FedEx and USPS for example.

Chances are that a malware attack that is less likely to be as successful as those which abuse the name of global delivery companies, but there is always the danger that some people will click without thinking and have their computers infected as a result.

British post box image from Shutterstock.

, ,

You might like

17 Responses to Royal Mail malware attack distributed via email

  1. Freida Gray · 802 days ago

    Has Sophos heard anything about Reveton, the ransomware?

    • Anonymous · 330 days ago

      Thanks for this..I run a business, and it looked so genuine that I almost fell for it..did a quick search and this came up.

  2. Marc · 802 days ago

    Although some scams like this one might catch people unaware, I find it hard to credit why people open any email that they know has nothing to do with them and then - to make things worse - open attachments and run them. I would have thought that if the email text is not explicit in giving information them opening attachments is just asking for trouble. If people actually thought about what they do online then email scams would vanish over night. The scams that worry me more are 'drive by' or 'click by' attacks from ordinary websites that have somehow been infected. It is difficult to know what to do about these and even though I regard myself as reasonably wary, I got caught out by a forum site that had been infected and the operating system was damaged so badly it was not possible to recover except with a total rebuild.

    • Bea · 801 days ago

      I have received 2 of these 'Royal Mail' emails in the past 12 hours. I didn't open them because I thought it suspicious. However, I am expecting 2 deliveries via ebay and the senders both have my email address. I did wonder if it was a new scheme but thankfully didn't feel sufficiently convinced to open a document.

  3. Elizabeth Braun · 802 days ago

    I've had two of these within the last 12 hours! Thankfully, I realised what it was and permanently deleted both.

    One only needs to think for a moment, when mailing something out, when have you EVER been asked for your or the recipient's e-mail address? Never, right? So, why would either the sender or recipient get an e-mail about a supposed shipment? They just plain wouldn't!

    Also, some of the English usage in the spam isn't what I would expect Royal Mail to use - seems a little more American than British usage. I think they'd be more likely to say 'sender' rather than 'shipper' etc. There are other things as well that just aren't realistic enough to be totally convincing to someone who takes a minute to think.

    The moral? ALWAYS take that minute to think!

  4. James Oakley · 802 days ago

    I just got one of these, but it wasn't detected by the anti-virus I run, or Sophos, or that of any vendor in fact: https://www.virustotal.com/file/0f07af636d662f429...

    I've been getting a lot of these e-mails over the past 2-3 weeks, claiming to come from various delivery companies, and almost all of them get through. About half end up being detected by 75% of anti-virus vendors after about a week; the other half remain undetected by all. The prevalence of false negatives is what makes these so likely to cause some real harm.

  5. Marc · 802 days ago

    Yest that is my name (Spooky).
    The thing is "You can't con an honest man" i.e. these only have a chance of working when people are looking for a freebie. Hence all the "Congratulations you have won" mails.
    If people weren't greedy then then wouldn't get conned.

  6. Sharon · 801 days ago

    I've just received this email too. I'm generally wary of emails from sources I'm not subscribed to but almost opened this as I am in fact waiting for some important documents. Thank goodness common sense prevailed over curiosity. However I know I need to warn my parents as they would almost definitely trust an email that looks like its from Royal Mail or any other well known company. It's just mindless vandalism really.

  7. John Hilgart · 801 days ago

    We use a secure mail gateway service that permits to check SPF records. I've found this is an excellent way to cut down on these types of spam campaigns. Many of the major carriers and other large organizations now have SPF records. royalmail.com has only taken a baby step so far:
    royalmail.com. 10M IN TXT "v=spf1 ip4:62.209.53.5 ip4:62.209.53.165 ?all" ""
    If I've got it right this is equivalent to having no SPF record whatsoever, due to the "?all" at the end. Hopefully by posting this it will encourage them and others reading this to begin defining genuine, working SPF records, and others to start using them. It's an excellent but underutilized tool.

    • Paul Ducklin · 800 days ago

      I consider it even worse that you suggest :-)

      I discuss the various SPF record types, somewhat cynically, here: http://nakedsecurity.sophos.com/2012/02/02/dmarc-...

      I refer to "?all" as the "DONT_CARE" record type.

      If you aren't using "-all", which means "the servers on the explicit list I just gave you are the only ones I acknowledge; all else are imposters", then IMO you are wasting your time (and everyone else's).

  8. wilson · 801 days ago

    do you guys know the source IP of the said scam mail. I haven't received it yet but i do wanna scan the whole network for any incident regarding this royal mail scam. thanks!

  9. James Oakley · 801 days ago

    I've not got any of the Royal Mail ones - they're all deleted now. But I've found a fedex one, and worryingly it came through the IPs 199.81.10.49 and 161.135.24.32, which both do a very good job as looking like they are actually fedex. In fact, both PTR and A records are set correctly. The 199* one is definitely in their IP range, however it's not allowed by their SPF policy. If only they'd set -all on the end of the SPF record, none of these would get through.

    If I get any more RM ones, I'll post the IPs involved

  10. Mo Khelifi · 782 days ago

    I have just received one of these emails covered under Pdf file

    as follows:

    Royal Mail Shipping Advisory, Mon, 10 Sep 2012 15:00:56 +0900

    donotreply@blackberry.com

    attachment: Royal_Mail_Shipping.pdf.exe

    Royal Mail Group Shipment Advisory

    The following 1 piece(s) have been sent via Royal Mail on Mon, 10 Sep 2012 15:00:56 +0900, REF# 0444552131

    SHIPMENT CONTENTS: Documents

    SHIPPER REFERENCE: PLEASE REFER TO ATTACHED FILE

    ADDITIONAL MESSAGE FROM SHIPPER: PLEASE REFER TO ATTACHED FILE

    Royal Mail Group Ltd 2012. All rights reserved

    I am lucky did not open it but I´am aware that the have my email adress that they may use different way to do such a dirt.

    Thanks fo feedback

  11. inzilbeth · 333 days ago

    Apparently starting up again but this time from a different address..got this one today when I have no parcel coming from England at all via the royal mail

    Mail - Lost / Missing package - UK Customs and Border Protection
    Royal Mail has detained your package for some reason (for example, lack of a proper invoice, bill of sale, or other documentation, a possible trademark violation, or if the package requires a formal entry) the RM International Mail Branch holding it will notify you of the reason for detention (in writing) and how you can get it released.

    Please fulfil the documents attached.

  12. Alan Trewhitt · 333 days ago

    Great your all good at saying how good you all are in not opening one of these but none of you are clever enough to tell someone what to do if they have!. I am waiting for a number of parcels from over seas so receiving an email telling me one of my parcels has been held up thinking about email scams was not top of my list. I pressed open and then thought better, I panicked and pulled the mans power. I booted up without connecting my modem and checking the email it says its unread so I've deleted it. Now aht do I do? Alan

  13. juergen · 333 days ago

    nice to read all those "shouldnt have opened" and other non-advise emails. the question is: what does one do (i) with the email still unopened on the email client or (ii) after it has been opened?
    thx for any answer!

  14. Greg K · 332 days ago

    LOL I 'think' I may have dodged a bullet here I posted a number of parcels overseas and received an email stating a parcel has being blocked by customs. I tried several times to open the attachment but it didn't seem to do anything, then I noticed I have a few DHL emails in my spam box and goggled. and I agree juergen I hate smug muppets ....heindsight is 20/20 !!!!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.