Sophos Cloud Optix
It’s wise to be wary when it comes to unsolicited email, even when the email appears to come from a legitimate organisation.
Today we’re warning internet users to be careful not to be tricked into open attachments that have been spammed out, posing as communication from the British Royal Mail.
A typical email reads:
Royal Mail Group Shipment Advisory
The following 1 piece(s) have been sent via Royal Mail on Mon, 20 Aug 2012 15:43:14 +0530, REF# 5646597645
SHIPMENT CONTENTS: Documents
SHIPPER REFERENCE: PLEASE REFER TO ATTACHED FILE
ADDITIONAL MESSAGE FROM SHIPPER: PLEASE REFER TO ATTACHED FILE
Royal Mail Group Ltd 2012. All rights reserved
It should go without saying that the emails are not connected with the real Royal Mail in anyway, despite them appearing to arrive from noreply@royalmail.com and containing the Royal Mail’s logo.
The cybercriminals who have distributed the attack are hoping that your curiousity will be piqued, and you will be tempted to open the attached ZIP file in the mistaken belief that a parcel is winging its way to you.
Contained within, however, is not a Royal Mail shipping advisory but a file called royal_mail_shipping.exe, detected by Sophos as the Troj/Backdr-HE Trojan horse.
The technique of disguising a malware attack as an email from a delivery company is nothing new, of course. Many internet users will be aware of the attacks we have seen in the past that have pretended to come from the likes of DHL, FedEx and USPS for example.
Chances are that a malware attack that is less likely to be as successful as those which abuse the name of global delivery companies, but there is always the danger that some people will click without thinking and have their computers infected as a result.
British post box image from Shutterstock.
Has Sophos heard anything about Reveton, the ransomware?
Thanks for this..I run a business, and it looked so genuine that I almost fell for it..did a quick search and this came up.
Although some scams like this one might catch people unaware, I find it hard to credit why people open any email that they know has nothing to do with them and then – to make things worse – open attachments and run them. I would have thought that if the email text is not explicit in giving information them opening attachments is just asking for trouble. If people actually thought about what they do online then email scams would vanish over night. The scams that worry me more are 'drive by' or 'click by' attacks from ordinary websites that have somehow been infected. It is difficult to know what to do about these and even though I regard myself as reasonably wary, I got caught out by a forum site that had been infected and the operating system was damaged so badly it was not possible to recover except with a total rebuild.
I have received 2 of these 'Royal Mail' emails in the past 12 hours. I didn't open them because I thought it suspicious. However, I am expecting 2 deliveries via ebay and the senders both have my email address. I did wonder if it was a new scheme but thankfully didn't feel sufficiently convinced to open a document.
I've had two of these within the last 12 hours! Thankfully, I realised what it was and permanently deleted both.
One only needs to think for a moment, when mailing something out, when have you EVER been asked for your or the recipient's e-mail address? Never, right? So, why would either the sender or recipient get an e-mail about a supposed shipment? They just plain wouldn't!
Also, some of the English usage in the spam isn't what I would expect Royal Mail to use – seems a little more American than British usage. I think they'd be more likely to say 'sender' rather than 'shipper' etc. There are other things as well that just aren't realistic enough to be totally convincing to someone who takes a minute to think.
The moral? ALWAYS take that minute to think!
I just got one of these, but it wasn't detected by the anti-virus I run, or Sophos, or that of any vendor in fact: https://www.virustotal.com/file/0f07af636d662f429…
I've been getting a lot of these e-mails over the past 2-3 weeks, claiming to come from various delivery companies, and almost all of them get through. About half end up being detected by 75% of anti-virus vendors after about a week; the other half remain undetected by all. The prevalence of false negatives is what makes these so likely to cause some real harm.
Yest that is my name (Spooky).
The thing is "You can't con an honest man" i.e. these only have a chance of working when people are looking for a freebie. Hence all the "Congratulations you have won" mails.
If people weren't greedy then then wouldn't get conned.
I've just received this email too. I'm generally wary of emails from sources I'm not subscribed to but almost opened this as I am in fact waiting for some important documents. Thank goodness common sense prevailed over curiosity. However I know I need to warn my parents as they would almost definitely trust an email that looks like its from Royal Mail or any other well known company. It's just mindless vandalism really.
We use a secure mail gateway service that permits to check SPF records. I've found this is an excellent way to cut down on these types of spam campaigns. Many of the major carriers and other large organizations now have SPF records. royalmail.com has only taken a baby step so far:
royalmail.com. 10M IN TXT "v=spf1 ip4:62.209.53.5 ip4:62.209.53.165 ?all" ""
If I've got it right this is equivalent to having no SPF record whatsoever, due to the "?all" at the end. Hopefully by posting this it will encourage them and others reading this to begin defining genuine, working SPF records, and others to start using them. It's an excellent but underutilized tool.
I consider it even worse that you suggest 🙂
I discuss the various SPF record types, somewhat cynically, here: http://nakedsecurity.sophos.com/2012/02/02/dmarc-…
I refer to "?all" as the "DONT_CARE" record type.
If you aren't using "-all", which means "the servers on the explicit list I just gave you are the only ones I acknowledge; all else are imposters", then IMO you are wasting your time (and everyone else's).
do you guys know the source IP of the said scam mail. I haven't received it yet but i do wanna scan the whole network for any incident regarding this royal mail scam. thanks!
I've not got any of the Royal Mail ones – they're all deleted now. But I've found a fedex one, and worryingly it came through the IPs 199.81.10.49 and 161.135.24.32, which both do a very good job as looking like they are actually fedex. In fact, both PTR and A records are set correctly. The 199* one is definitely in their IP range, however it's not allowed by their SPF policy. If only they'd set -all on the end of the SPF record, none of these would get through.
If I get any more RM ones, I'll post the IPs involved
I have just received one of these emails covered under Pdf file
as follows:
Royal Mail Shipping Advisory, Mon, 10 Sep 2012 15:00:56 +0900
donotreply@blackberry.com
attachment: Royal_Mail_Shipping.pdf.exe
Royal Mail Group Shipment Advisory
The following 1 piece(s) have been sent via Royal Mail on Mon, 10 Sep 2012 15:00:56 +0900, REF# 0444552131
SHIPMENT CONTENTS: Documents
SHIPPER REFERENCE: PLEASE REFER TO ATTACHED FILE
ADDITIONAL MESSAGE FROM SHIPPER: PLEASE REFER TO ATTACHED FILE
Royal Mail Group Ltd 2012. All rights reserved
I am lucky did not open it but I´am aware that the have my email adress that they may use different way to do such a dirt.
Thanks fo feedback
Apparently starting up again but this time from a different address..got this one today when I have no parcel coming from England at all via the royal mail
Mail – Lost / Missing package – UK Customs and Border Protection
Royal Mail has detained your package for some reason (for example, lack of a proper invoice, bill of sale, or other documentation, a possible trademark violation, or if the package requires a formal entry) the RM International Mail Branch holding it will notify you of the reason for detention (in writing) and how you can get it released.
Please fulfil the documents attached.
Great your all good at saying how good you all are in not opening one of these but none of you are clever enough to tell someone what to do if they have!. I am waiting for a number of parcels from over seas so receiving an email telling me one of my parcels has been held up thinking about email scams was not top of my list. I pressed open and then thought better, I panicked and pulled the mans power. I booted up without connecting my modem and checking the email it says its unread so I’ve deleted it. Now aht do I do? Alan
nice to read all those “shouldnt have opened” and other non-advise emails. the question is: what does one do (i) with the email still unopened on the email client or (ii) after it has been opened?
thx for any answer!
LOL I ‘think’ I may have dodged a bullet here I posted a number of parcels overseas and received an email stating a parcel has being blocked by customs. I tried several times to open the attachment but it didn’t seem to do anything, then I noticed I have a few DHL emails in my spam box and goggled. and I agree juergen I hate smug muppets ….heindsight is 20/20 !!!!!