Express Shipment Notification emails contain malware

Filed Under: Featured, Malware, Spam

Express delivery of a Trojan horse
Have you received an email with the subject line "Express Shipment Notification"?

If so, be on your guard - you could be at risk of infecting your Windows computers.

Online criminals have spammed out a large number of messages, claiming to come from DHL Express International, that are designed to install malware onto the computers of unsuspecting PC users.

Here is what a typical example of an email spammed out in the attack looks like:

Malicious email

DHL Express
Tracking Notification: 449762627

Custom Reference: 594078O440
Tracking Number: XFLNH94244
Pickup Date: Mon, 18 Mar 2013 12:39:03 +0100
Service: AIR
Pieces: 1

Mon, 18 Mar 2013 12:39:03 +0100 - Processing complete successfully
Refer to attached report for full details.

Attached to the emails is a ZIP file, containing malware. The filename of the ZIP file can vary, but takes the form "DHL" (where the 'X's are a random code).

Sophos products detect the malicious attachment as the Troj/BredoZp-S Trojan horse.

Of course, the emails don't really come from DHL - and the fact that you may have received an email which has DHL in its "From:" field does not mean that any computer systems at DHL have been compromised, but just that the attackers have forged the email headers.

Time and time again we have seen cybercriminals using the disguise of shipping companies like DHL and FedEx to spread their malware attacks and hijack the computers of the unwary.

Your best protection is to not just run an up-to-date anti-virus, but also to live and breathe computer security in your every day life.

How do you do that? Well, you can start by learning to never open attachments in unsolicited emails - however tempted you might be.

, , ,

You might like

7 Responses to Express Shipment Notification emails contain malware

  1. WSG · 934 days ago

    I see this type of thing every day while reviewing spam for my clients, and it's been going on for a long time. DHL, FedEx, Intuit Payroll, ADP, BBB, AT&T, Verizon Wireless, Amazon, etc ... too many to remember. Some use to contain links to infected sites or phishing login screens, but most have attachments that are malware.

  2. Roger · 933 days ago

    I think that's it's virtually a lost cause to try to protect people from themselves. Truly, there's one born every minute.

  3. Sayville Library · 933 days ago

    I give computer classes; the most poorly attended class I give is one computer and Internet security. Apparently, most users think what you don't know can't hurt you.

  4. Christy · 933 days ago

    This could be confusing to some and have them accidentally open it.....I get my prescriptions from "Express Scripts".....

  5. mike byrne · 932 days ago

    i think people must adopt the 'THINK BEFORE YOU CLICK' policy

  6. saxonrau · 932 days ago

    Annoyingly I am expecting a tax refund too. But, luckily, I know HMRC will send me a letter in the post, not some badly spelled email.

    Has anyone actually put the tracking number into the relevant courier's website? I can't imagine a spammer would be stupid enough to use one of their own tracking ref.s but you never know.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley