A particularly vociferous malware campaign has been forcefully spammed out in the last 24 hours, targeting German internet users.
The malicious emails, which have are intercepted by Sophos security products, contain an attachment which pretends to be a PDF file, and claim to come from an air shipment company and use the subject line "Luftfrachsendung AWB".
Here is an example of a typical email that was intercepted by the team at SophosLabs:
Hallo,
anbei der AWB bitte bestätigen ob alles Ok ist.
Danke
Mit freundlichen Grüßen
Attached to the emails is a file called AWB-Avis 123-12345678.pdf.zip (the numbers can vary) which carries the malicious payload.
Sophos products detect the attack as the Troj/Agent-AAJO and Troj/Agent-AANK Trojan horse.
Astrid, one of the translators here at Sophos, tells me that the German used in the emails isn't perfect (which might help raise suspicions) - but here's a rough translation for non-German speakers:
Hi,
Please confirm the enclosed AWB is OK.
Thank you
Yours sincerely
What makes the attack stand out from all of the other attacks that we have intercepted in the last few days is its sheer scale, dwarfing all the other malware attacks that SophosLabs has seen sent out via email in recent days.
The shipping company referenced in the email has posted a message on its website saying that it has had to suspend its normal info@ email address because of the sheer number of emails it is receiving, and has offered an alternative address for contact instead.
ATTENTION! Email Spam and Virus warning: Unknown parties are currently sending large quantities of spam emails with the false sender address of info@first-class-zollservice.de. The subject line reads "Airfreight shipment AWB". The email has an attachment that is infected with a Trojan!
We therefore advise that if you receive such an email, you delete it without opening. Please do not try to open the attachment!
For this reason, the info@email address has been disabled info@first-class-zollservice.de until further notice. You can contact us in the meantime, using the email address "24stunden@first-class-zollservice.de"
You have to feel some sympathy for an innocent company which has had its business disrupted by a cybercriminal scheme.
Make sure that you are reducing the risk of your computers being infected by malware in an attack like this.
As well as keeping your wits about you, and ensuring that you and your colleagues never open unsolicited attachments, always ensure that all of your computers are running up-to-date anti-virus software.
Follow @gcluley
![Password security infomerical leaves Ellen DeGeneres in disbelief.. and it will you too [VIDEO]](http://sophosnews.files.wordpress.com/2013/04/ellen-thumb.jpg?w=75&h=75&crop=1)
![Can multiple moving cursors really hide your password from spyware and peepers? [VIDEO]](http://sophosnews.files.wordpress.com/2013/03/cursors-thumb.jpg?w=75&h=75&crop=1)
This delivery type message has been around for years
Cybercriminals are becoming so cruel now..
I have an info@ email address on my domain ... I currently get about 100 emails a day to it for undeliverable emails from some spammers using my domain as their from address! (Hello my name is Olga). It's been happening for over a year now... DKIM and SPF on the domain haven't deterred them, and just disabling the email address won't stop them using it, and will cause me a lot of disruption itself. Apart from the inconvenience, It's actually costing me money (so many DNS lookups from their targets pushed me off my free DNS tier into a paid-for one).