Sophos Cloud Optix
Just earlier this week, I warned about a malware attack that had been widely spammed out posing as a message from DHL Express International.
The trick, which is an old one, goes like this.
Cybercriminals spam out an email, with forged header information, tricking you into believing that it is from a shipping company like DHL or FedEx.
The email tells you that they tried to deliver a package to you, but failed for some reason. Sometimes the emails claim to be notifications of a shipment you have made.
Either way, you can’t resist being curious as to what the email is referring to – and open the attached file (or click on a link embedded inside the email).
And with that, your computer is infected and under the control of malicious hackers who have just planted a Trojan horse on your computer.
As attacks go, it’s pretty unsophisticated. But the fact that we see attacks using this formula virtually every day indicates that it’s a ruse that works well for the online criminals, and continues to help them make money.
I must admit that sometimes it’s pretty depressing working in the computer security industry, when you see people fall for the same trick time and time again.
Here’s the latest example, an email with the subject line “DHL delivery report”:
The social engineering is simple, but it works. The email tricks you into believing that there is a parcel waiting to be shipped to them, but an incorrect postcode has messed the delivery up.
What does the email suggest you do? Print off the label (helpfully attached), and take it to your post office. But you best hurry! Because the email claims that they will begin to charge you if you dawdle too long.
It’s no wonder then that some folks will all too quickly open the attached file (called LABEL-ID-NY19032013-GFK78.zip in this case) and, as a result, infect their Windows computer with the Troj/Bredo-AGB Trojan horse.
Of course, this isn’t really DHL or FedEx’s fault. Their company name is being abused by the criminals and their brand image tarnished through association with such attacks.
Maybe you’re well-read about malware threats and would never fall for an attack like this. But can you say the same for your aunty, your father-in-law, your friends?
Do your bit to make the internet a safer place by helping raise awareness of security threats with your friends and family. Maybe even suggest they read Naked Security or follow us on Facebook if you think that will help.
Stay safe out there.
It was recommended I contact you with my question – I am a Facebook user and there is presently an impersonator that has established an account (misspelled last name) with my picture attempting to become friends…With all of Facebook's technology, I cannot do anything (at least that I can find online) because evidently I have been blocked by the "new" account. What can I do, or is there a way to actually talk with someone at Facebook. Thanks!
http://www.facebook.com/help/167722253287296/
This is an old malware! I received many of these emails 4-5 months ago…
Get loads of these for FedEx, none as yet for DHL. I simply just delete them. If I had a parcel coming from anyone I would check directly with them.
Receiving these "from" DHL, FedEx, UPS and even the US Post Office, although they're somewhat unlikely to be delivering to Staffordshire in the UK.
Here's a naive question from someone who knows next to nothing about this sort of thing:
Why can't someone design an email application (or, alternatively, a browser…for those who use webmail) that won't let such nasties install themselves on a computer, even though the user might be clueless enough to click on links in the unsolicited messages that carry them?
Of course, another solution is simply to run Sophos AV with on-access scanning (which I do)…but then, I don't click on such malicious links in the first place.
Anyhow, it seems to me that, if developers actually care about security, they ought to be addressing this at the email client (or browser) application level to provide a kind of first line of defense against such invasions. Probably easier said than done, but I'm still curious why no one seems to be addressing the problem…or am I mistaken?
Try an iPad. My mom just ran into this, and she loves it.
Called a IMac
I received a fedex email informing me of my shipment. in february .( AND YES i WAS EXPECTING ONE )…opened it and it cost me £70 to sort the computer out…Have just received one from DHL …i expect you have already guessed that I delete it straght away even though I am expecting another shipment …beware it will cost you money as well as your details…
I actually opened on of them, which was in the spam (but didn't click on the links but looked at the WOT scorecard) :S
I didn't see any attachments for the most part. But would clicking to opening the email and nothing else cause me to get a virus?
if i opened the email and clicked on the tracking link what problems can i expect? i use a MAC
In this case, to get infected, you'd need to:
* Click the link.
* Open up the ZIP file (which is malware)
* Be running Windows
* Miss the malware with your anti-virus/other security software
So in your case, you should be OK.
Running a Mac doesn't reduce your risk *by design*, but it does reduce it by what you might call "market forces" – the crooks go after Mac users much less frequently because they're a minority of the market and (sadly/happily depending on whether you are a Windows/Mac user 🙂 the crooks are making enough money focusing on Windows.
My advice, therefore, on what to do about clicking on the link is, "Don't do that again."
what if I clicked on it but didnt continue to open it the file (the message to open or save to the computer, and i closed it), should I be ok?
why don’t these companies actually go after the fraudsters…gawd knows they would for any other type of brand infringement…why doesn’t dhl have a dedicated email address for us to forward them to? i’m getting one a day again.
Just got one from DHL yesterday. This site really helped me figure out what was going on
I just got the email. I clicked on the link (Because, yes, I am expecting a package!) and it said server not found. I opened it on my iphone. Should I worry?
What if I open an DHL email on my iPad but the brower came up with a 404 not found page? Am I ok? Because now I am not able to send any emails from my hotmail account on my iPad, even after deleting and re-adding my account?
well how do you get it off your computer? I performed a Restore and that seemed to get rid of it … and then I found it in my Program Data folder and deleted it and emptied my trash ….. Did I do that correctly ?? It is one thing to send out the alarm of a virus it is another to explain how to get rid of it. Please reply. Warm Regards Angelo
I have had several DHL Notifications.
The first one I opened and my computer was immediately infected with Trojan virus.
Took some time to get rid of it. Nasty little thing!
Just got another today.
DHL Inc. notify XA00AMJR4E
It is very difficult to suss these out especially if your expecting stuff to be delivered.
I received this email knew it sounded strange, thanks for the article.
Received 2 today – one from UPS Shipping service and one from DHL…. Just ordered something this morning on line and got a bit worried it was that. Happy I checked on here before opening the attachments!! Thank you
what if i just opened it on my mac, marked as not junk, didnt open the zip file, as realised it was dodgy put it into trash an securely emptied it…could have gotten in to my system by any of those actions?
i have just receied an email from *supposedly* DHL – rather funny! it is actually on my laptop right now although i am about to remove it. quite interested in *playing* with it to be honest. just to try and find out who these thieving bastards are! hey people no need to pay big money to ppl like me (IT consultnut) (yes – NUT) just get the right anti virus stuff or a removal tool. save yer self some money! looking at the email headers just now but seriously doubt i will get anywhere!
stay safe folks!
Got this email from "DHL GLOBAL" today. Was working on my iPad so opened the email. As soon as I read the contents ie tried to deliver a parcel, postal error incorrect knew it was a scam. The email stated there was an attachment, but this was not there on the opened email and no sign of the attachment. I subsequently deleted the email from inbox and then from trash. Will my iPad be okay as the only thing that was opened was the initial email nothing else? Thanks
Many thanks; I just got a email and thought to google first before open the attachment and found your valuable info.
Reported as scam
Yahoo!Mail had sorted a similar “DHL” email into my spam box. When I noticed a spelling mistake, I did a quick Google search and ended up here. Thanks guys!
anyone know what the virus actually does? Is it a keylogger? Does it install other hidden programs that your malware detector won’t find and remove? Has anyone had their bank accounts raided by the criminals (allegedly in Russia) responsible? Does the virus cause harm to your system? What’s the ultimate solution (yes- we know it’s NOT clicking in the first place), meaning, what’s the procedure for people who did click the file? Is there a useful link please? Many thanks K
Bit of a strange one this – I ordered something online and that’s quite rare for me. The thing I ordered arrived on the 10th of September 2014, and on that same day I got one of these spam messages saying they couldn’t make the delivery on the 10th of September. What I’m curious to know is whether the spammers somehow knew I was going to receive a package on that day? The spam was sent by “USPS” and the deliverer of the package in real life was UPS (GROUND). As I say, I rarely order things online and this is the first such spam message I received. Is it just coincidence or did the spammers know?
My only Phish from DHL wanted only about 17 bucks. I bailed out forthwith when I clued in. HOW they DO that??
I got one from DHL, and as i was expecting, i click the button and it requested my email & pasword. Stupid i filled it. I then got like hundred strange similar email. Now when i hit reply all, i have that DHL on the address with detail email of my yahoo address. What’s that?
I had never received one of these. Yesterday the dhl website said my package was awaiting delivery but they will contact me to arrange a customs payment. This morning I got the spam email from a local .edu email address.
So I,ve asked DHL, how did they know to target me. I,m not a believer in coincidences.
unfortunately I fell for the trick and opened the attachment, I don’t have any antivirus installed, do you suggest anything I can do now to prevent further damage to my system?
Attacks like this don’t always work – malware has bugs, too 🙂 – but it’s worth scanning your computer just in case.
You don’t say which operating system you’re using, but we have free anti-virus tools for OS X, Windows and Linux…you can find them in the sidebar entitled “Free Tools” on the right of the page.
For Windows, use the Virus Removal Tool:
http://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx
Jow bout if I already give my address?
Just received a similar email today and I opened it. Didn’t know such a scam existed till today. I opened it on my iPhone. Is my phone safe?
I get these nearly daily, but never open them. But for some, like me, it is always tempting, because one time I received an important parcel that was really not delivered because of some misunderstanding, but eventually i got it at the DHL office.
Dear all,
I just have been waiting my parcel for weeks, and exchanging emails with DHL officers.
i was told my package is held in custom service, i was asked to provide my passport, lastly i received this email today.
I am really confused, and do not trust them, can any one suggest that this is a kind off fraud. or spam email. Thanks in advance.
“Dear Valuable Customer,
Thanks for using DHL services,
With pleasure to inform you that clearance process over subject shipment finished and ready for payment under this declared total amount XXX USD,
Please accept two types of payment confirmation
– To send your confirmation back by email to pay in advance and collect required amount up on delivery cycle.
– To send your representative to nearest DHL office to pay amount and accordingly will deduct paying in advance fees (showed in payment request attached).”
Attached file is related to payment request, WB and invoices.”
I accidentally opened this same dhl message in my yahoo mail and every time i am sending emails, the address mnl.query at dhl dotcom is always attached to my email address..anyone who knows how to remove this.. thanks in advance
I am as we speak busy with what I think is a scam from the so called “DHL” company , this is how it started , I am moving and decided to advertise my wok on the Internet, it was not long before I received an email from a lady saying that she is interested in buying the wok , was even prepared to add an extra €20,00:.I said fine and she said she would send the money to me , a dayear later I recieve an email from “DHL”saying that they had received the money and that they need a NEOSURF code , my being completely ignorant of how they work thought that if they gave me the code they would deliver the money to me and take the parcel to the lady , not so simple , in order for me to recieve the €250,00 , yes €250.00 I need to buy the NEOSURF codes for €200.00 send them the codes and someone from “DHL” would come to my house give me an envelope with the €250,00 and take the package from me , needless to say I told them that I would not be doing so , since then I have being receiving threatening emails from them saying that I am committing Internet fraud and that if I do not get those codes I could land up with a €45000 fine or even 10 years imprisonment, I have told them that I will go to the police with these emails and let them investigate this matter , so far I have received no more word from them , hope it stays that way though .
Or you could download a free anti-malware service and save me the trouble of resetting your PC to factory settings every couple of weeks cause of the newest scam…
DHL SCAM IS BACK. January 19, 2018 Just received a DHL pick-up notification spam email with two attatchments. This is the second one that I have received recently!
I always check the recipient address which was ‘undisclosed-recipients’ and deleted it before opening any files. BEWARE!!
A recipient address of “undisclosed-recipients” is not automatically suspicious. It’s often used when you want to BCC a message to everyone, just so there is something to put in the recipient field. Of course, there’s no reason to use BCC to send you a real notification, so this is, as you say, unusual.
But the best header start with is the sender – you’ll often get an immediate signal that it simpply couldn’t have been DHL that sent it, e.g. it’s from somewhere you’ve never heard of, or from Gmail, or something of that sort.
The presence of attachments in a DLH notification email is also autmatically dodgy. After all, DHL tracks its deliveries via its website…
i received an email saying it was from support@dhl.com notifying me that the item was not delivered due to incorrect address and asking me to print out the sheet and take it to nearest dhl office. The attachment was as png and contained a rather blurred image of an invoice. can malware be appended to a png document?
Malware in a PNG is unlikely, so I wouln’t worry too much if you have viewed the image. I suggest you simply contact DHL directly – don’t rely on any contact information in or from the email – and see if you have an incomplete delivery. If you’re expecting a delivery you should have a tracking number to report.