14 DAY TRIAL // Security researchers from antivirus vendor Avira warn that a new spam campaign masquerades as notifications DHL. The fake emails have a new computer trojan variant hidden in their attachments.
The messages have their "From" field spoofed to appear as originating from an DHL email address. The subject is "DHL Tracking Number ########" (where # stands for a random letter or digit) and unlike most spam, the content of these emails is relatively well spelled.
"Hello! The courier company was not able to deliver your parcel by your address. You may pickup the parcel at our post office personaly. The shipping label is attached to this email. Please print this label to get this package at our post office. Thank you for your attention," the emails signed by DHL Delivery Services, read.
The attached archives are called DHL_INVOICE23.zip and contain a trojan installer. "The file in the ZIP archive uses a double file extension in the form of DHL_INVOICE_23.xls______________<plenty of underscores>______.exe," the Avira researchers explain. This naming scheme as well as the file Excel document icon, have the purpose of deceiving the users into believing that they are actually opening a document.
The series of underscores pushes the .exe extension out of the view when the archive file is opened in an unpacking program. At the same time the .exe part will not be visible in Windows Explorer either, since file extensions are hidden by default. "The malware is a variant of the Trojan family Oficla," Thomas Wegele, virus researcher at Avira, writes.
The failed DHL delivery notification seems to be a recurring theme with malware pushing spam. More than one year ago an almost identical campaign was used to spread a variant of the infamous Zbot banking trojan.
Unfortunately these scams still work and can have serious consequences. At the end of June we reported a case where fraudsters managed to steal $465,000 from the bank account of a Californian escrow firm, after its owner opened the attachment of a fake failed delivery email.
