Germans bombarded in malware attack, shipment firm caught in crossfire forced to suspend email address

Filed Under: Featured, Malware, Spam

German malwareA particularly vociferous malware campaign has been forcefully spammed out in the last 24 hours, targeting German internet users.

The malicious emails, which have are intercepted by Sophos security products, contain an attachment which pretends to be a PDF file, and claim to come from an air shipment company and use the subject line "Luftfrachsendung AWB".

Here is an example of a typical email that was intercepted by the team at SophosLabs:

AWB malware


anbei der AWB bitte bestätigen ob alles Ok ist.


Mit freundlichen Grüßen

Attached to the emails is a file called AWB-Avis (the numbers can vary) which carries the malicious payload.

Sophos products detect the attack as the Troj/Agent-AAJO and Troj/Agent-AANK Trojan horse.

Astrid, one of the translators here at Sophos, tells me that the German used in the emails isn't perfect (which might help raise suspicions) - but here's a rough translation for non-German speakers:


Please confirm the enclosed AWB is OK.

Thank you

Yours sincerely

What makes the attack stand out from all of the other attacks that we have intercepted in the last few days is its sheer scale, dwarfing all the other malware attacks that SophosLabs has seen sent out via email in recent days.

The shipping company referenced in the email has posted a message on its website saying that it has had to suspend its normal info@ email address because of the sheer number of emails it is receiving, and has offered an alternative address for contact instead.


ATTENTION! Email Spam and Virus warning: Unknown parties are currently sending large quantities of spam emails with the false sender address of The subject line reads "Airfreight shipment AWB". The email has an attachment that is infected with a Trojan!

We therefore advise that if you receive such an email, you delete it without opening. Please do not try to open the attachment!

For this reason, the info@email address has been disabled until further notice. You can contact us in the meantime, using the email address ""

You have to feel some sympathy for an innocent company which has had its business disrupted by a cybercriminal scheme.

Make sure that you are reducing the risk of your computers being infected by malware in an attack like this.

As well as keeping your wits about you, and ensuring that you and your colleagues never open unsolicited attachments, always ensure that all of your computers are running up-to-date anti-virus software.

, ,

You might like

3 Responses to Germans bombarded in malware attack, shipment firm caught in crossfire forced to suspend email address

  1. terry · 909 days ago

    This delivery type message has been around for years

  2. Arerifx · 907 days ago

    Cybercriminals are becoming so cruel now..

  3. Rob · 907 days ago

    I have an info@ email address on my domain ... I currently get about 100 emails a day to it for undeliverable emails from some spammers using my domain as their from address! (Hello my name is Olga). It's been happening for over a year now... DKIM and SPF on the domain haven't deterred them, and just disabling the email address won't stop them using it, and will cause me a lot of disruption itself. Apart from the inconvenience, It's actually costing me money (so many DNS lookups from their targets pushed me off my free DNS tier into a paid-for one).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley