UPS Scam Email with Trojan Malware: "FFF Service! Package is available for pickup!"

"United Parcel Service notification with attached zip file: United Parcel Service Documentation.zip"

Have you received an email appearing to be from "United Parcel Service (supportadmw@ups.com)", telling you that "United Parcel Service notification with attached zip file: United Parcel Service Documentation.zip"; with an attachment, saying "Attached to the letter mailing label contains the details of the package delivery. You have to print mailing label, and come in the United Parcel Service ( supportadmw@ups.com) office in order to receive the packages"

It is a scam and malware.  If you click to open the attached file (typically, it is a zip file), you will open a virus or other malware.  One report from Mxlab.eu/ says the email contains the zip archive upsinvoice3325037.zip, which once extracted, opens a Trojan, the 36 kB large file UPSINVOICE.exe.

Opening the attached file can install a trojan on the user's computer. Once installed, the trojan can send information to malicious servers and may download other malware.

The scammers rely on the fact that many recipients may open the attachment out of simple curiosity or concern. You should always be very cautious of any unsolicited emails that claim that a package delivery has failed or been returned. No legitimate delivery company will send notice of a failed delivery via an unsolicited email. Especially not with an attachment.


Sample Scam and Malware Email: United Parcel Service (supportadmw@ups.com)

March 23, 2011, CFR received the following email, with the subject:

 United Parcel Service notification:

Dear customer.

The parcel was sent your home address.
And it will arrive within 7 business day.

More information and the tracking number are attached in document below.

Thank you.
' 1994-2011 United Parcel Service of America, Inc.


How to identify the scam and malware

The email is typically sent from a spoofed address, making it look like: 'United Parcel Service <ABC@ups.com>' where ABC could be any of the following:

infojs@
joiner2@
joiner22@
joisupport@ups.com
supportadm@ups.com
support@ups.com
'.

 


What happens if you open the attached ZIP file?

The email contains the zip archive upsinvoice3325037.zip, once extracted the 36 kB large file UPSINVOICE.exe is available. The trojan is known as W32/FakeAlert.NW (F-Prot), Trojan.Win32.VBKrypt.yj (Kaspersky), Win32/Oficla.EU (NOD32), Troj/Bredo-CX (Sophos) or Trojan.Sasfis (Symantec).

The following files are created:

%Temp%\1.tmp
%System%\nnfj.tqo
%Temp%\2.tmp
%Windir%\scindl.dll


Recommendations- What to do:

  • Only open email or IM attachments that come from a trusted source and that are expected
  • Use an anti-virus/anti-spam package (we recommend Norton 360 or Norton Internet Security scan all attachments prior to opening. Click here to see Norton 360 2013 on Amazon.com .
  • Delete the messages without opening any attachments
  • Do not click on links in emails that come from people you do not know and trust, even if it looks like it comes from a company you know.
  • Keep your anti-virus software up to date
  • Keep your operating system up to date with current security patches. Click here for an article that describes how to do this.

And please let us know about any suspicious calls or emails you receive.  We look for patterns so that we can alert the authorities and victims to new scams, before it is too late!


For a comprehensive list of national and international agencies to report scams, see this page./a>