A DHL delivery which is nothing but malware - Windows users warned of email attack

Filed Under: Featured, Malware, Spam

DHL and flyJust earlier this week, I warned about a malware attack that had been widely spammed out posing as a message from DHL Express International.

The trick, which is an old one, goes like this.

Cybercriminals spam out an email, with forged header information, tricking you into believing that it is from a shipping company like DHL or FedEx.

The email tells you that they tried to deliver a package to you, but failed for some reason. Sometimes the emails claim to be notifications of a shipment you have made.

Either way, you can't resist being curious as to what the email is referring to - and open the attached file (or click on a link embedded inside the email).

And with that, your computer is infected and under the control of malicious hackers who have just planted a Trojan horse on your computer.

As attacks go, it's pretty unsophisticated. But the fact that we see attacks using this formula virtually every day indicates that it's a ruse that works well for the online criminals, and continues to help them make money.

I must admit that sometimes it's pretty depressing working in the computer security industry, when you see people fall for the same trick time and time again.

Here's the latest example, an email with the subject line "DHL delivery report":

Malicious DHL email

The social engineering is simple, but it works. The email tricks you into believing that there is a parcel waiting to be shipped to them, but an incorrect postcode has messed the delivery up.

What does the email suggest you do? Print off the label (helpfully attached), and take it to your post office. But you best hurry! Because the email claims that they will begin to charge you if you dawdle too long.

It's no wonder then that some folks will all too quickly open the attached file (called LABEL-ID-NY19032013-GFK78.zip in this case) and, as a result, infect their Windows computer with the Troj/Bredo-AGB Trojan horse.

Of course, this isn't really DHL or FedEx's fault. Their company name is being abused by the criminals and their brand image tarnished through association with such attacks.

Maybe you're well-read about malware threats and would never fall for an attack like this. But can you say the same for your aunty, your father-in-law, your friends?

Do your bit to make the internet a safer place by helping raise awareness of security threats with your friends and family. Maybe even suggest they read Naked Security or follow us on Facebook if you think that will help.

Stay safe out there.

, ,

You might like

30 Responses to A DHL delivery which is nothing but malware - Windows users warned of email attack

  1. David · 932 days ago

    It was recommended I contact you with my question - I am a Facebook user and there is presently an impersonator that has established an account (misspelled last name) with my picture attempting to become friends...With all of Facebook's technology, I cannot do anything (at least that I can find online) because evidently I have been blocked by the "new" account. What can I do, or is there a way to actually talk with someone at Facebook. Thanks!

  2. Afshin · 932 days ago

    This is an old malware! I received many of these emails 4-5 months ago...

  3. Dennis · 931 days ago

    Get loads of these for FedEx, none as yet for DHL. I simply just delete them. If I had a parcel coming from anyone I would check directly with them.

  4. Ted Treen · 931 days ago

    Receiving these "from" DHL, FedEx, UPS and even the US Post Office, although they're somewhat unlikely to be delivering to Staffordshire in the UK.

  5. Nigel · 931 days ago

    Here's a naive question from someone who knows next to nothing about this sort of thing:

    Why can't someone design an email application (or, alternatively, a browser...for those who use webmail) that won't let such nasties install themselves on a computer, even though the user might be clueless enough to click on links in the unsolicited messages that carry them?

    Of course, another solution is simply to run Sophos AV with on-access scanning (which I do)...but then, I don't click on such malicious links in the first place.

    Anyhow, it seems to me that, if developers actually care about security, they ought to be addressing this at the email client (or browser) application level to provide a kind of first line of defense against such invasions. Probably easier said than done, but I'm still curious why no one seems to be addressing the problem...or am I mistaken?

    • Todd · 816 days ago

      Try an iPad. My mom just ran into this, and she loves it.

  6. Linda · 896 days ago

    I received a fedex email informing me of my shipment. in february .( AND YES i WAS EXPECTING ONE )...opened it and it cost me £70 to sort the computer out...Have just received one from DHL ...i expect you have already guessed that I delete it straght away even though I am expecting another shipment ...beware it will cost you money as well as your details...

  7. Ryan · 896 days ago

    I actually opened on of them, which was in the spam (but didn't click on the links but looked at the WOT scorecard) :S

    I didn't see any attachments for the most part. But would clicking to opening the email and nothing else cause me to get a virus?

  8. ken · 880 days ago

    if i opened the email and clicked on the tracking link what problems can i expect? i use a MAC

    • Paul Ducklin · 878 days ago

      In this case, to get infected, you'd need to:

      * Click the link.
      * Open up the ZIP file (which is malware)
      * Be running Windows
      * Miss the malware with your anti-virus/other security software

      So in your case, you should be OK.

      Running a Mac doesn't reduce your risk *by design*, but it does reduce it by what you might call "market forces" - the crooks go after Mac users much less frequently because they're a minority of the market and (sadly/happily depending on whether you are a Windows/Mac user :-) the crooks are making enough money focusing on Windows.

      My advice, therefore, on what to do about clicking on the link is, "Don't do that again."

  9. krystal · 863 days ago

    what if I clicked on it but didnt continue to open it the file (the message to open or save to the computer, and i closed it), should I be ok?

  10. undrgrndgirl · 817 days ago

    why don't these companies actually go after the fraudsters...gawd knows they would for any other type of brand infringement...why doesn't dhl have a dedicated email address for us to forward them to? i'm getting one a day again.

  11. Tina · 816 days ago

    Just got one from DHL yesterday. This site really helped me figure out what was going on

  12. Iris · 812 days ago

    I just got the email. I clicked on the link (Because, yes, I am expecting a package!) and it said server not found. I opened it on my iphone. Should I worry?

  13. Concerned · 804 days ago

    What if I open an DHL email on my iPad but the brower came up with a 404 not found page? Am I ok? Because now I am not able to send any emails from my hotmail account on my iPad, even after deleting and re-adding my account?

  14. angelo · 793 days ago

    well how do you get it off your computer? I performed a Restore and that seemed to get rid of it ... and then I found it in my Program Data folder and deleted it and emptied my trash ..... Did I do that correctly ?? It is one thing to send out the alarm of a virus it is another to explain how to get rid of it. Please reply. Warm Regards Angelo

  15. GGS · 769 days ago

    I have had several DHL Notifications.
    The first one I opened and my computer was immediately infected with Trojan virus.
    Took some time to get rid of it. Nasty little thing!
    Just got another today.
    DHL Inc. notify XA00AMJR4E
    It is very difficult to suss these out especially if your expecting stuff to be delivered.

  16. donnaanderson1991 · 768 days ago

    I received this email knew it sounded strange, thanks for the article.

  17. sharon · 764 days ago

    Received 2 today - one from UPS Shipping service and one from DHL.... Just ordered something this morning on line and got a bit worried it was that. Happy I checked on here before opening the attachments!! Thank you

  18. rick · 764 days ago

    what if i just opened it on my mac, marked as not junk, didnt open the zip file, as realised it was dodgy put it into trash an securely emptied it...could have gotten in to my system by any of those actions?

  19. stef · 747 days ago

    i have just receied an email from *supposedly* DHL - rather funny! it is actually on my laptop right now although i am about to remove it. quite interested in *playing* with it to be honest. just to try and find out who these thieving bastards are! hey people no need to pay big money to ppl like me (IT consultnut) (yes - NUT) just get the right anti virus stuff or a removal tool. save yer self some money! looking at the email headers just now but seriously doubt i will get anywhere!
    stay safe folks!

  20. Lisa S · 745 days ago

    Got this email from "DHL GLOBAL" today. Was working on my iPad so opened the email. As soon as I read the contents ie tried to deliver a parcel, postal error incorrect knew it was a scam. The email stated there was an attachment, but this was not there on the opened email and no sign of the attachment. I subsequently deleted the email from inbox and then from trash. Will my iPad be okay as the only thing that was opened was the initial email nothing else? Thanks

  21. logan · 742 days ago

    Many thanks; I just got a email and thought to google first before open the attachment and found your valuable info.
    Reported as scam

  22. Leonardo · 517 days ago

    Yahoo!Mail had sorted a similar "DHL" email into my spam box. When I noticed a spelling mistake, I did a quick Google search and ended up here. Thanks guys!

  23. Kelvin Stobie · 485 days ago

    anyone know what the virus actually does? Is it a keylogger? Does it install other hidden programs that your malware detector won't find and remove? Has anyone had their bank accounts raided by the criminals (allegedly in Russia) responsible? Does the virus cause harm to your system? What's the ultimate solution (yes- we know it's NOT clicking in the first place), meaning, what's the procedure for people who did click the file? Is there a useful link please? Many thanks K

  24. Alex One · 390 days ago

    Bit of a strange one this - I ordered something online and that's quite rare for me. The thing I ordered arrived on the 10th of September 2014, and on that same day I got one of these spam messages saying they couldn't make the delivery on the 10th of September. What I'm curious to know is whether the spammers somehow knew I was going to receive a package on that day? The spam was sent by "USPS" and the deliverer of the package in real life was UPS (GROUND). As I say, I rarely order things online and this is the first such spam message I received. Is it just coincidence or did the spammers know?

  25. Wayne Harvey · 113 days ago

    My only Phish from DHL wanted only about 17 bucks. I bailed out forthwith when I clued in. HOW they DO that??

  26. Rush · 109 days ago

    I got one from DHL, and as i was expecting, i click the button and it requested my email & pasword. Stupid i filled it. I then got like hundred strange similar email. Now when i hit reply all, i have that DHL on the address with detail email of my yahoo address. What's that?

  27. Tbarry · 93 days ago

    I had never received one of these. Yesterday the dhl website said my package was awaiting delivery but they will contact me to arrange a customs payment. This morning I got the spam email from a local .edu email address.
    So I,ve asked DHL, how did they know to target me. I,m not a believer in coincidences.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley