DHL Tracking Number UOYKCUFSBERKNAIBR spells danger

The cyberscoundrels are up to their dirty rotten tricks again, sending fake emails pretending to be notifications from DHL that there is a parcel that you should pick up.

DHL Parcel pickup email

Attached to the emails is a ZIP file called which contains a malicious threat. Sophos detects the malware proactively as Mal/EncPk-LE. Users of other anti-virus products might be wise to update their systems as this attack is being spammed out widely.

Here’s what the rest of the email looks like:


Message body:
Dear customer!

The courier company was not able to deliver your parcel by your address.

You may pickup the parcel at our post office personaly.

The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.

Thank you for attention.
DHL Express Services.

Never forget, if you allow unknown code to run on your computer you could be putting your data, identity, finances and the very ownership of your computer’s resources into the hands of a remote hacker.

Those with eagle eyes might notice the odd wording of the email – but there are plenty of folks out there who will be so excited about the thought of receiving a mystery parcel that they click on the attached file without giving a second thought to the possible consequences.

Update: I am indebted to Clu-blog reader Kurt Wismer who contacted me via Twitter to point out that if you spell UOYKCUFSBERKNAIBR backwards it reads RBIANKREBSFUCKYOU.

Brian Krebs is a security journalist who writes the excellent SecurityFix blog for the Washington Post, and is widely reviled by the cybercrime underworld for his exposés of their activities.

I find it hard to believe that the hackers’ choice of tracking reference number can be a coincidence, even if they did transpose two characters by accident.