Capitalizing on the Holidays: FedEx Malware Spam

Christmas-gifts-13831Like Santa Claus and his cadre of industrious elves, spammers don’t take time off for the holidays. Unlike the jolly old elf and his posse, however, the email-happy scam artists are devious, black hearted little children who deserve giant lumps of coal. This is no truer than this time of the year, when retail sales explode, and the average gift buyer tries to stay ahead of the game by stumbling through the dizzying maze of online shopping opportunities. Online purchases require shipping, and the spammers know that, too. So it shouldn’t be surprising, even if it is disheartening, that there are dark souls out there capitalizing on the probability that their targets might have ordered something – perhaps the Clapper or Chia Pet that I clamor for every year and sadly, never get – and will become the proverbial fly to the spammer’s spider.

That’s why, in the confusing mayhem of the holiday season, anyone who uses email should be aware of the latest scam, this one in the form of a very realistic looking email that appears to come from Federal Express. Being reported by several sources, the bogus email appears to be the real thing, FedEx logo and all, with a notification that the recipient has a parcel they need to pick up, perhaps a care package from nana with her delightful plum preserves and cranberry pudding (okay, that last part was all me. So sue me. I miss my nana’s cranberry pudding).

“Dear Customer, Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you. To receive a parcel, please, go to the nearest our office and show this postal receipt,” the email states, according to The so-called postal receipt is a clickable icon that uses a document icon to make it appear more…well, document-y. And when it’s clicked, a ‘document reader’ application launches, giving the appearance that everything is good in Chia Pet land. However, Softpedia reports, “in the background, the malicious element injects code into svchost.exe and contacts its remote command and control server in an attempt to download the payload.”

Chris Boyd over at GFI Labs notes that some browsers will pick up the dirty little piece of code and give you the option to block its download, but also that the resulting file may still end up on your system as a Word Document file pretending to be a zip file. “Opening the “Word document” (which is actually just an executable file in disguise) will infect your PC with a little something we detect as Trojan.Win32.Generic.pak!cobra,” Chris tells us. “Before you know it, your Trojan chum will delete the original file, create hidden files and make network connections…generally not typical behaviour where a postal receipt is concerned (unless you live in the Eighth Circle of Hell).”

Firmly convinced that the real estate costs are artificially inflated and that the neighborhood is overly pretentious, I personally do not live in the Eighth Circle of Hell, but I get Chris’ point. Do not click this link, ever. Boyd points out that GFI research has linked this type of infection to ransomware, so getting nailed by this email may turn your PC into a package that no amount of ripping and tearing will open. “These infection files have been linked to Ransomware, in this case something called “Wheelsof” and you may well find yourself locked out of your PC if unfortunate enough to fall for this one.”

It’s pretty clear that spammers, no matter how slippery they might be, are still just about as stupid as the people they hope to trick. Maybe stupider. In an ROTFLMAO moment, Chris points out that the email message appears to come from “UPS Office” but closes with “The FedEx Team.” (you can read the full text of the email on the GFI Labs blog) As Forrest Gump’s mother used to say, “stupid is as stupid does,” and Boyd gives the spammers an F for flumped. “A lot of these fake delivery notices are pretty convincing, but hopefully the peculiar mashup of FedEx and UPS is the kind of tip-off that’s up there with Pippin lighting the Warning Beacons of Gondor.”

Lord of the Rings reference aside, this is a dangerous email. It should also be noted that shipping company spam messages aren’t unusual. In fact, a quick Google search shows that spams pretending to be FedEx shipping notices are quite common, giving us comfort in the knowledge that spammers are douchebags all year long.

Leave a Reply