Sloppy spelling scuppers DHL malware spam attack

Filed Under: Malware, Spam

Thank heavens for the poor education of cybercriminals!

If they had paid more attention to spelling and grammar at school (rather than mugging younger kids for their dinner money and inflicting chinese burns behind the bicycle sheds) then maybe some of their scams would be harder to spot.

Take this malware campaign that we are seeing being spammed out right now, for instance.

DHL malicious spam

Subject: DHL notification

Message body:
Dear customer.
The parcel was send your home address.
And it will arrice within 7 bussness day.

More information and the tracking number
are attached in document below.

Thank you.
2011 DHL International GmbH. All rights reserverd.

The email doesn't really come from DHL, of course. This is just the latest in a long line of instances where cybercriminals have distributed malware attacks posing as communications from a delivery firm such as UPS or FedEx.

But take a closer look. There are 37 words in the body of that message, four of which are spelt incorrectly. That's an almost 11% failure rate!

If the spelling mistakes and lack of professionalism weren't enough to get your security sixth sense jangling, then hopefully your anti-virus would have identitifed that the attached file contains malware.

Sophos products detect the ZIP file proactively as Mal/BredoZp-B, and its Trojan horse contents as Troj/Agent-QQG.

I, for one, vote against improving the grammar and spelling of cybercriminals. We can't rely on every malicious hacker being a poor communicator, but it certainly can help the general public identify when a message should be treated with suspicion.

, ,

You might like

13 Responses to Sloppy spelling scuppers DHL malware spam attack

  1. Claire · 1673 days ago

    Most of these are from non-English speakers to begin with, so I don't think it's really a matter of poor education. I imagine most American PhDs would have a hard time composing a letter in Swahili. Nevertheless, it is amusing to receive a letter, ostensibly from the US Ambassador to Benin, rife with random capitalizations, misspellings and erroneous grammar.

  2. The Bruteforcer · 1673 days ago

    I think it would be a nice idea to introduce spam filters based on grammar and spelling... :-D

  3. Daniel · 1673 days ago

    It's worth noting that the signature line reads "2011 DHL International GmbH." GmbH is the German equivalent of Inc. In other words, the writer is probably not a native English speaker. What's scary is that I have seen native English speaker who do spell that badly - but most of them are either not smart enough or not motivated enough to write malware.

    • Actually, you'll find DHL's global headquarters is in Germany.

      So even the main website refers to "DHL International GmbH".

      DHL is part of Deutsche Post.

      In the words of Michael Caine, not a lot of people know that.

  4. Casperthedog · 1673 days ago

    The knowledge that many scams contain poor spelling and grammar is not new. But remember that for many, many people in English speaking countries receiving these emails english is a second or even third language.

    So while those of us who speak and read English as our first language may sit back and laugh, a lot of our neighbours aren't so aware of the errors.

    And when we live and work alongside non-native English speakers every day, relying on spelling or grammar clues shouldn't be seen as a 100% effective filter.

  5. Cyberguido · 1673 days ago

    I'd have stopped right after the "Dear Customer" part. How come they sent a parcel to my home address, know my email address, and don't know my name? Not even if they wrote impeccable English I'd have gone for that :-) And no, I'm not a native speaker myself :-)

  6. Angel · 1672 days ago

    Can someone please tell me if my computer got infected or if anyone can see in my email if I opened this email from DHL? I actually was expecting a delivery and filled out a form online to redeliver a package, so I thought it just might be regarding my delivery, so I clicked on the zip file folder but I got a pop up that said it could not download because an unfamiliar virus. So does this mean no harm done and no one can see my information??

    • Heather · 1672 days ago

      I also (stupidly) opened the email and clicked on the downloaded zipfile. Now what? I turned off the computer once I realized I'd been duped.


      • Angel · 1667 days ago

        But did you see a pop up window stating it could not download the file because of an unknown virus? What happened after you clicked on the zipfile? I think my security may have blocked it because of that pop up, but I'm still not sure.

  7. Ian · 1669 days ago

    I am forwarding all the ones i get to ''. Maybe they may open one and find out first hand the amount of grief normal recipients get!

  8. lolol · 1666 days ago

    I got a email about "DHL notification" at my old email account but it wasn't like that. It was just saying please check this document and then there was a attachment saying "".

  9. Megan Kenal · 1656 days ago

    i have heard (don't know if it's true or not, but it bears thought) that some misspellings and poor grammar in spam emails is intentional, as a means of bypassing certain spam filters. for example, sending an email advertising "discounted pharmaceuticals" might get caught, whereas "discounted phamacuticals" might not. same thing for "free Rolex watches" versus "free Rolexes watch." (both of those examples are from real emails that i have received in my Hotmail account recently, which incidentally i don't use as a regular account but only for signing up on less-than-stellarly-reputable websites such as for games and whatnot.)

    obviously that doesn't apply here, but it's also possible that whoever sent out this spam also has or does send out non-spoofing spam for "retail" websites.

  10. Silvia · 1593 days ago

    I just received a different version:

    DHL Express Delivery
    tracking number # 22278711
    Good morning
    Parcel notification

    The parcel was sent your home adress.
    And it will arrive within 3 buisness days.

    More information and the parcel tracking number are attached in document below.

    Thank you
    DHL Express Delivery system (c)
    153 James Street, Suite100, Long Beach CA, 90000

    Maybe they need a minimum number of spelling errors.
    And the name of the zip file in DHL mail.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley