14 DAY TRIAL // Security researchers warn about a new wave of fake DHL email notifications that try to trick people into installing the SpyEye banking trojan on their computers.
The rogue emails bear a subject of "DHL Noticifaction" [sic.] and have forged headers to appear as originating from a [email protected] email address.
The body message tells recipients to expect a parcel in seven days and instructs them to read more information in the attached document.
"Dear customer. The parcel was send your home address. And it will arrice [sic.] within 7 bussness [sic.] day. More information and the tracking number are attached in document below. Thank you," it reads.
The attachment is called DHL_Document.zip and contains an executable with the same name. There appears to be two different pieces of malware being distributed by this campaign.
One is a almost certainly a trojan dropper, but according to a Virus Total scan, detection is all over the place. Some antivirus programs detect it as Oficla, others as a backdoor called Bitfrose, while a few as the Zbot banking trojan.
The other malware being distributed is a variant of SpyEye, the notorious banking trojan believed to be slowly replacing ZeuS as most popular cyber fraud tool.
At the time of writing this article, signature-based detection for both trojans is decent, but this could rapidly change if the attackers change the packing obfuscation.
Distributing malware as attachments to fake email notifications from DHL, UPS or other courier services is a technique constantly being reused by hackers.
This suggests that despite all awareness raising efforts, there are still enough people who fall for this trick, which makes it viable for cyber criminals to keep using it.
Users should exercise increased caution when dealing with emails that contain attachments, even if they appear to originate from a trusted source. Services like Virus Total can be very helpful at determining if a file is malicious or not, but they are not 100% accurate.