DHL International Delivery email? Beware widespread malware attack

Filed Under: Featured, Malware, Spam

Why should malware authors show any creative flair and imagination? There's no need, after all, if tried and trusted methods of infecting computers still work.

Take, for instance, the widespread malware campaign that has been spammed out across the internet today, posing as an email from DHL.

Malware-infected email claiming to come from DHL

A typical email has a subject line of "DHL Express Parcel Tracking notification [random code]" or "DHL Express Tracking Notification ID [random code]" or "DHL International Notification for shipment [random code]"

The emails read similar to the following:

Hello Dear,

DHL Express Tracking Notification: Mon, 11 Jun 2012 12:14:55 +0200

Custom Reference: 9057425-HRIEI2E4Q8C
Tracking Number: UT09-2041042911
Pickup Date: Mon, 11 Jun 2012 12:14:55 +0200
Pieces: 2

Mon, 11 Jun 2012 12:14:55 +0200 - Processing complete successfully

Shipment status may also be obtained from our Internet site in USA under or Globally under

Please do not reply to this email. This is an automated application used only for sending proactive notifications

Thanks in advance,
DHL Express International Inc.

Attached to each email is a ZIP file, containing the malware. The attached filename can vary, but takes the form DHL_International_Delivery_Details-[random code].zip

Forklift truck. Image courtesy of ShutterstockSophos products detect the Windows malware as Troj/Agent-WMO.

Malicious emails that claim to come from courier companies are nothing new.

In fact, they are one of the most commonly used social engineering disguises deployed by cybercriminals to trick unsuspecting users into opening a malicious attachment or clicking on a dangerous link.

Make sure that you and your friends are wise to the trick - and think before you click.

Forklift truck image courtesy of Shutterstock.

, ,

You might like

9 Responses to DHL International Delivery email? Beware widespread malware attack

  1. J MacDonald · 1212 days ago

    I found the UPS one in my email account, my Norton security stopped it right away, but I knew of the problem, thanks to SOPHOS.

  2. blingedup · 1212 days ago

    I've gotten three or four of these DAILY for several weeks now. So irritating.

  3. Moosey · 1211 days ago

    These always end up in my spam folder anyway, so I've never had a problem. :3

  4. Christine · 1211 days ago

    I also have gotten several of these over a couple weeks. Thanks for the warning!!

  5. Mikey398 · 1211 days ago

    Found it in my inbox yesterday...looked suspicious and was deleted

  6. Daniel · 1210 days ago

    I received a similar message from Canada Post. Unfortunately for them, or perhaps intentionally, the word "invoice" was spelled "inboce" and while one link was a legitimate Canada Post link, the one just below it to download the invoice was not. Assholes!

  7. guest · 1205 days ago

    I really hope these people that write malware and distribute it either for gain or just to make others lives miserable, I hope they get a real slow and very painful cancer and they spend every penny they have fighting it only to go broke and die by it. That would be justice.

  8. Kate · 1182 days ago

    I got one with PERFECT SPELLING and was expecting a parcel from DHL.

    Unfortunately I opened it and downloaded.

    I then realised it was a mistake and deleted what I could

    This morning McAfee flashed a signal that they had found a Trojan and dealt with it. No further action required.


  9. Paul · 793 days ago

    I just got one from DHL as I was away for the week they claimed they could not deliver I was curious. Upon opening the zip I knew something was wrong and tried to shut it off it continued until crtl alt delete managed to stop it and then I took the tracking # to real dhl site which of course said it was an invalid #. Thank You for the article.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley