14 DAY TRIAL // A spam message that seems to be a notification from DHL, the popular logistics group, alerts users on the existence of an alleged shipment that may try to reach the recipient of the email.
MX Lab discovered the malicious campaign that spreads containing subjects such as “DHL Express Notification for shipment for 26 Oct 2011” or “Notification for shipment for 26 Oct 2011.”
To make the whole thing more cleaver, the date in the subject most likely changes and the alert seems to be coming from a genuine looking spoofed address that reads something like “DHL Express International Support <[email protected]>”.
The body of the message urges the unsuspecting victim to follow a link or open an attachment:
26 Oct 11 08:15 AM – Clearance processing complete PLEASE REFER TO ATTACHED FILE FOR DETAILED INFORMATION.
Shipment status may also be obtained from our Internet site in USA under http://track.dhl-usa.com or Globally under http://www.dhl.com/track Please do not reply to this email. This is an automated application used only for sending proactive notifications
The zip file named DHL_EXPRESS_Notification_Message_NR contains an executable file which actually hides a piece of malware that was undetected by many security providers. McAfee detected it as PWS-Zbot.gen.cc and AhnLab as Win-Trojan/Obfuscated.Gen.
Unfortunately, as these sort of emails are very well designed, containing all sorts of references to the company's genuine website, it's fairly difficult to detect them as being threats.
The best thing to do in this case is to rely on your instinct and treat everything with suspicion. It's like in those fake lottery emails. If you haven't entered, why would you win? It's the same in this situation. If you're not expecting a delivery, why would you receive a notification?
Also I would not advise anyone to click on the links that seem to point to the firm's package tracking system as the connections may hide replicas of the legitimate pages which may require you to provide sensitive information.