Malware Alert: Trojan Attack Posing As UPS Delivery Problem, Rise in Infected Emails, SMSME Failure


Have you received an e-mail about a package delivered to your home. Or about to be delivered? Does the e-mail have an attachment? BEWARE!

UPS rarely sends emails with attachments. But there is an email that is hitting people’s inbox that even has an email address that looks like it was sent from UPS ([email protected]).

Screen shot of malware email spoofed to appear it was sent by UPS on March 24, 2011.

Often the sentence structure of the emails are poorly constructed. For example …

“The parcel was sent your address.”

If the email recipient/victim clicks the link to download the attachment, a piece of software known as malware or more specifically a Trojan is actually installed by the victim when the victim clicks on the attachment. The attachment is often compressed with a “.zip” suffix. When the attachment expands, which can be automatic as soon as the victim downloads the .zip attachment, the file often displays the ‘.exe’ suffix. That’s a bad sign, because .exe means a program was downloaded, and usually the programs are designed to do bad things to your computer.

The malware program installs a downloading program that fetches and installs at least two more files on your system. The offending sofware may disable your firewall, search and steal credit card account and bank account details, install a keylogger that attempts to catch your passwords as they are typed, cause ad affiliates to pop up on your screen, make screen snapshots, cause your email client to send spam to all your friends and associates, and allow hackers continued access to your machine.

To date no offending software has been reported attacking the Apple Mac operating system. If a Mac user clicks on the attachment, the .exe file sits harmlessly on the Mac hard drive because .exe programs are not ‘executed’ on the Mac operating system.

So far, there seem to be variations of the offending spammed email — most looking like a genuine notification from UPS, U.S. Customs or the United States Post Office.

The first variant informs you the parcel service tried, but was unable to deliver a package to you due to their having an incorrect address. The subject heading usually has a phony tracking number. The attachment poses as a copy of a waybill or invoice for you to print and use to collect the parcel from a UPS office.

The second variant is a customs notification and may even appear to come from “US Customs Service” rather than UPS. It says you have an international package (usually from France) and that you need to complete the attached customs form so it can be delivered.

There are reports of people who have printed notices and brought them to the United State Post Office, only to find they have no package waiting for them at the post office.

UPS has issued a warnings to customers, advising not to click the attachment. The firm also points out that although it sometimes does send out email notifications, it rarely uses attachments. You can read the entire message from UPS on their site.

Similarly, US Customs reports it normally contacts people by letter rather than email.

Updated anti-virus and security programs are supposed to be alert to the scam and block it, but people who don’t update their security definitions will still be attacked. Also some reports have noted that the emails are not being detected by SMSME (Symantec Mail Security for Microsoft Exchange) with up-to-date definitions as the emails arrived. Background scans are catching the offenders, but not in real time as the email arrives.

If you do get the email, delete it. Don’t click on the attachment. It shouldn’t harm your computer, provided you don’t click the attachment.

The incidents of offending attachment attacks emphasize the risk of clicking on any attached file, even if it appears to come from a person or organization you trust.

If a friend sends you an email with an attachment, you might want to reply and make sure they sent the email before you open it. The malware can automatically send attachments to every person in the address book of the infected computer.

Most times people won’t fall for the trap, but in cases where someone might have just done business with UPS or are expecting a package anyway, they might not be as cautious, or might act more on impulse and just click the attachment.

If your machine does become infected, disable system restore, boot your computer into safe mode, update your virus definitions and then run a full system scan. Or get help from a qualified computer consultant.

Recently there has also been a surge in rogue emails from friends and associates who apparently have been affected. Sometimes the offending email might have a hostile link instead of a hostile attachment.

Here’s a good example of rogue email designed to attack with an email link … an email victim received an email from a bride that had sent invitations out two years prior. Then last week, long after the wedding, with no email communication in between the two-year period, an email arrives with nothing but a link to a website with a .pn suffix — that’s the Pitcairn Islands in the southern Pacific Ocean (about 3,000 miles southeast of Hawaii, and 4,000 miles west of Chile). It’s not a good idea to click that link because it could be setup to download malware.

View Larger Map

See also …
Symantec Auto-Protect not catching trojan-infected zip’s is an Amazon Associate website, which means that a small percentage of your purchases gets paid to at no extra cost to you. When you use the search boxes above, any Amazon banner ad, or any product associated with an Amazon banner on this website, you help pay expenses related to maintaining and creating new services and ideas for a resourceful website. See more info at

1 Comment

  1. I just got that a couple days ago lol. I was expecting a package, but not from UPS. Also United Parcel Service “of America Inc” gave it away.

Comments are closed.